This report is a product of the Defense Science Board (DSB).
The DSB is a Federal Advisory Committee established to provide
independent advice to the Secretary of Defense. Statements,
opinions, conclusions, and recommendations in this report do not
necessarily represent the official position of the Department of Defense.

I am pleased to forward the final report of the DSB Task Force on Information
Warfare (Defense), which was chaired by Mr. Duane P. Andrews. You asked the
Task Force to focus on protection of information interests of national importance
through establishment and maintenance of a credible information warfare (IW)
defensive capability in several areas, including deterrence and to make
recommendations regarding the creation and maintenance of specific aspects
of a national information warfare defense capability.

The Task Force recommends a series of over 50 actions designed to better
prepare the Department for this new form of warfare beginning with identification
of an accountable focal point within the Department for all IW activities
and ending with the allocation or reallocation of approximately $3 billion
over the next 5 years to implement these recommended actions.

Attached is the report of the DSB Task Force on Information Warfare (Defense).

We conclude that there is a need for extraordinary action to deal with the
present and emerging challenges of defending against possible information
warfare attacks on facilities, information, information systems, and networks
of the United States which would seriously affect the ability of the Department
of Defense to carry out its assigned missions and functions. We have observed
an increasing dependency on the Defense Information Infrastructure and increasing
doctrinal assumptions regarding the continued availability of that
infrastructure. This dependency and these assumptions are ingredients in
a recipe for a national security disaster.

I should also point out that this is the third consecutive year a DSB Summer
Study or Task Force has made similar recommendations to better prepare the
Department for the challenges of information warfare.

Accordingly, we recommend a series of over 50 actions designed to better
prepare the Department for this new form of warfare beginning with identification
of an accountable focal point within the Department for all IW activities
and ending with the allocation or reallocation of approximately $3 billion
over the next 5 years to implement these recommended actions.

We will be, of course, happy to provide any further assistance you may desire.

Sincerely,

[Signature]

Duane P. Andrews

Attachment

PREFACE

The Defense Science Board Task Force on Information Warfare (Defense) was
established at the direction of the Under Secretary of Defense for Acquisition
and Technology. By USD(A&T) Memorandum for the Chairman, Defense Science
Board, dated October 4, 1995, the Task Force was directed to "focus on protection
of information interests of national importance through the establishment
and maintenance of a credible information warfare defensive capability in
several areas, including deterrence." Specifically, the Task Force was asked
to:

Identify the information users of national interest who can be attacked through
the shared elements of the national information infrastructure.

Determine the scope of national information interests to be defended by
information warfare defense and deterrence capabilities.

Characterize the procedures, processes, and mechanisms required to defend
against various classes of threats to the national information infrastructure
and the information users of national interest.

Identify the indications and warning, tactical warning, and attack assessment
procedures, processes, and mechanisms needed to anticipate, detect, and
characterize attacks on the national information infrastructure and/or attacks
on the information users of national interest.

Identify the reasonable roles of government and the private sector, alone
and in concert, in creating, managing, and operating a national information
warfare-defense capability.

Provide specific guidelines for implementation of the Task Force's
recommendations.

For the purpose of this report, the terms national and national-level are
assumed to include Federal, state and local governments, academia, associations,
public interest organizations, and the private sector.

This report presents the conclusions and recommendations of the Task Force
based on study efforts of the Task Force and Panels created by the Task Force
to address specific areas of interest. The report is organized as follows:

Section 3, Observations, provides the major findings of the Task Force.

Section 4, What Should We Defend?, identifies the information users of national
interest and scope of interests to be defended.

Section 5, How Should We Defend?, suggests processes and procedures necessary
to defend the users against the threats. It includes a discussion of required
indications and warning, tactical warning, attack assessment, and continuity
of operations organizations and procedures.

Section 6, Recommendations, presents recommendations, and provides specific
guidelines for implementing the recommendations. It includes a discussion
of the reasonable roles of government and the private sector and concludes
with resources, in addition to current INFOSEC budgets, required to implement
the recommendations.

Appendices are provided as background and resource information. They do not
represent a consensus view of the Task Force and recommendations contained
in the Appendices are not Task Force recommendations to the Department. Some
of the appendices were used in part as input to the main body of this report.
Other appendices are provided because they contain useful information for
further discussion of matters addressed in the main body of the report.

At about the same time that the Task Force was created, the President signed
a major policy directive regarding the protection of critical infrastructures
such as telecommunications, electric power, and transportation. This directive
resulted in the creation of a Critical Infrastructures Working Group (CIWG)
to address the manner in which the directive should be implemented. The CIWG
recommendations were implemented with some modification in
Executive Order 13010, Critical
Infrastructure Protection which was signed by the President on July 15, 1996.
E.O. 13010 establishes a President's Commission to, in part,

Assess the scope and nature of the vulnerabilities of, and threats to, critical
infrastructures,

Determine what legal and policy issues are raised by efforts to protect critical
infrastructures, and

Recommend a comprehensive national policy and implementation strategy for
protecting critical infrastructures from physical and cyber threats and assuring
their continued operation.

Given these parallel and closely related activities, the Task Force elected
to address information warfare (defense) issues and provide conclusions from
both the national and Department of Defense perspectives. However, the Task
Force recommendations are specifically oriented on the Department of Defense.
Department of Defense dependencies on national level activities for information
warfare (defense) are provided to the Secretary of Defense for possible
transmittal to the President' s Commission for use in their deliberations.

6.2.1 Establish a Center for Intelligence Indications and Warning, Current
Intelligence, and Threat Assessments
6.2.2 Establish a Center for IW-D Operations
6.2.3 Establish a Center for IW-D Planning and Coordination
6.2.4 Establish a Joint Office for System, Network and Infrastructure
Design
6.2.5 Establish a Red Team for Independent Assessments

The national security posture of the United States is becoming increasingly
dependent on U.S. and international infrastructures. These infrastructures
are highly interdependent, particularly because of the inter-netted nature
of the information components and because of their reliance on the national
information infrastructure. The information infrastructure depends, in turn,
upon other infrastructures such as electrical power.

Protecting the infrastructures against physical and electronic attacks and
ensuring the availability of the infrastructures will be complicated. These
infrastructures are provided mostly (and in some cases exclusively) by the
commercial sector; regulated in part by federal, state, and local governments;
and significantly influenced by market forces. Commercial services from the
national information infrastructure provide the vast majority of the
telecommunications portion of the Defense Information Infrastructure (DII).
These services are regulated by Federal and state agencies. Local government
agencies regulate the cable television portion of the information infrastructure.
Power generation and distribution are provided by very diverse activities
-- the Federal government, public utilities, cooperatives, and private companies.
Interstate telecommunications are regulated by the Federal Communications
Commission, intrastate telecommunications by the state public utilities
commissions. Interstate power distribution is regulated by the Federal Energy
Regulatory Commission, intrastate power generation and distribution by the
state public utilities commissions.

Observations

Information infrastructures are vulnerable to attack. While this in itself
poses a national security threat, the linkage between information systems
and traditional critical infrastructures has increased the scope and potential
of the information warfare threat. For economic reasons, increasing deregulation
and competition create an increased reliance on information systems to operate,
maintain, and monitor critical infrastructures. This in turn creates a tunnel
of vulnerability previously unrealized in the history of conflict.

Information warfare offers a veil of anonymity to potential attackers. Attackers
can hide in the mesh of inter-netted systems and often use previously conquered
systems to launch their attacks. The lack of geographical, spatial, and political
boundaries offers further anonymity and legal and regulatory arbitrage; this
lack also invalidates previously established "nation-state" sanctuaries.
Information warfare is also relatively cheap to wage, offering a high return
on investment for resource-poor adversaries. The technology required to mount
attacks is relatively simple and ubiquitous. During information warfare,
demand for information will dramatically increase while the capacity of the
information infrastructure will most certainly decrease. The law, particularly
international law, is currently ambiguous regarding criminality in and acts
of war on information infrastructures. This ambiguity, coupled with a lack
of clearly designated responsibilities for electronic defense hinders the
development of remedies and limits response options.

Exhibit ES-1 shows additional observations.

Information warfare has been particularly troublesome for the intelligence
community

We lack a common vocabulary

Resources are focused on classified content and systems

It is easy to make the IW-D problem too hard

Acquisition policy and practices pose dilemmas

However, a lot can be done

And DoD must start now!

Exhibit ES-1. Observations

What Should We Defend?

The current Administration's national security strategy for the United States
suggests that the nation's "economic and security interests are increasingly
inseparable" and that "we simply cannot be successful in advancing our
interests-political, military and economic-without active engagement in world
affairs." In the broad sense, then, the scope of national information interests
to be defended by information warfare defense and deterrence capabilities
are those political, military, and economic interests. These include the
continuity of a democratic form of government and a free market economy,
the ability to conduct effective diplomacy, a favorable balance of trade,
and a military force that is ready to fight and that can be deployed where
needed. These interests are supported by the delivery of goods and services
that result from the conduct of functional activities such as manufacturing,
governing, banking and finance, and the like. Some of these activities are
critical to the nation's political, military, and economic interests. These
critical functional activities, in turn, depend on information technology
and critical infrastructures such as banking and finance, electric power,
telecommunications, and transportation.

In general, U.S. infrastructures are extremely reliable and available because
they have been designed to respond to disruptions, particularly those caused
by natural phenomena. Redundancy and diverse routing are two examples of
design techniques used to improve reliability and availability. However,
deregulation and increased competition cause companies operating these
infrastructures to rely more and more on information technology to centralize
control of their operations, to support critical functions, and to deliver
goods and services. Centralization and reliance on broadly networked information
systems increase the vulnerabilities of the infrastructures and the likelihood
of disruptions or malevolent attacks.

The information users of national interest who can be attacked through the
shared elements of the national information infrastructure are those responsible
for performing the critical functions necessary for the delivery of the goods
and services upon which our political, military, and economic interests depend.

The Department of Defense (DoD) must preserve its ability to fulfill its
basic missions. To do that, DoD must be concerned about the ensured operation
of the critical functions and the availability of information necessary to
fulfill those missions. The intertwined nature of the functions of national
interest and supporting infrastructures add to the complexity: there are
critical functions which have national security implications and which must
be defended; and there are critical portions of the infrastructures which
are necessary for the operation of DoD and national functions.

How Should We Defend?

The concept for defending the information infrastructure and the information
components of other critical infrastructures includes the following principles:

Critical functions must be capable of being performed in the presence of
information warfare attacks.

Some minimum essential infrastructure capability must exist to support these
critical functions.

Point and layered defenses are preferable to area defenses.

The infrastructure must be designed to function in the presence of failed
components, systems, and networks. The risk associated with failed components,
systems, and networks must be managed since it cannot be avoided.

The infrastructure control functions should not be dependent on normal operation
of the infrastructure.

The infrastructure must be capable of being repaired.

The concept for defending is as follows. In the information age as in the
nuclear age, deter is the first line of defense. This deterrence must
include an expression of national will as expressed in law and conduct, a
declaratory policy relative to consequences of an information warfare attack
against the United States, and an indication of the resiliency of the information
infrastructure to survive an attack. Technology to conduct information warfare
is simple and ubiquitous; some form of infrastructure robustness and protection
is essential. It is technically and economically impossible to design
and protect the infrastructure to withstand any and all disruptions,
intrusions, or attacks (or avoid all risk). The risk can be managed, however,
by protecting selected portions of the infrastructure that support critical
functions and activities necessary for maintaining political, military, and
economic interests. An equally important function is to verify through
independent assessments that the design principles are being followed, that
protective measures are being implemented where appropriate, and that the
information warfare (defense) readiness posture is as reported.

Tactical warning, damage control, attack assessment, and restoration ensures
the continuance of these critical functions and activities in the presence
of disruptions or attacks. The essence of tactical warning is monitoring,
detection of incidents, and reporting of the incidents. Monitoring and detection
of infrastructure disruptions, intrusions, and attacks are also an integral
part of the defense against information warfare. Providing an effective
monitoring and detection capability will require some policy initiatives,
some legal clarification, and an ambitious research and development program.
The telecommunications infrastructure will be subject to some form of attack
and we should have some capability to limit the damage that results and to
restore the infrastructure. Little research has been devoted to the basic
procedures necessary to contain "battle" damage, let alone the tools which
might provide some automated form of damage control. Some form of
attack assessment is essential to determine the impact of an attack
on critical functions and the appropriate response to an attack. Restoration
of the infrastructure implies some capability to repair the damage and the
availability of resources such as personnel, standby services contracts,
and the like. The basic functions of monitoring, detection, damage control,
and restoration must begin at the lowest possible operating level. Reports
of the activity must be passed to regional, DoD, and national-level organizations
to establish patterns of activity and to request assistance as needed in
damage control and restoration. Finally, some form of response to
the intrusions or attacks may be necessary to deter future intrusions or
attacks. The response could entail civil or criminal prosecution, use of
military force, perception management, diplomatic initiatives, or economic
mandates. Because response might also involve offensive information warfare,
this report does not address it in detail.

Recommendations

The Task Force makes 13 key recommendations as shown in Exhibit ES-2. The
Task Force 'considers these recommendations as imperatives.

Bottom Line - DoD has an urgent need to:

1. Designate an accountable IW focal point

2. Organize for IW-D

3. Increase awareness

4. Assess infrastructure dependencies and vulnerabilities

5. Define threat conditions and responses

6. Assess IW-D readiness

7. "Raise the bar" (with high-payoff, low-cost items)

8. Establish a minimum essential information infrastructure

9. Focus the R&D

10. Staff for success

11. Resolve the legal issues

12. Participate fully in critical infrastructure protection

13. Provide the resources

DSB has been urging action on this problem for 3 years!

Exhibit ES-2. Recommendations

In addition, the Task Force made over 50 additional recommendations, which
are categorized under these key recommendations. (Note that the first
recommendation addresses all of information warfare, not just defensive
information warfare.) The Task Force attempted to prioritize these "key
recommendations," but in the end decided that portions of all of these key
recommendations should be implemented immediately.

The following discussions provide all of the recommendations made by the
Task Force. The parenthetical entry following each of the key recommendations
identifies the section of the report in which the recommendations are discussed
in detail.

1. Designate an accountable IW focal point (6.1). This is the most
important recommendation the Task Force offers. The Task Force believes that
the Secretary of Defense needs a single focal point charged to provide staff
supervision of the complex activities and interrelationships that are involved
in this new warfare area. This includes oversight of both offensive and defensive
information warfare planning, technology development and resources. The SECDEF
should:

1a. Designate ASD(C3I) as the accountable focal point for all IW issues.

1b. Establish a DASD(IW) and supporting staff to bring together as many
IW functions as possible.

2. Organize for IW-D (6.2). This key recommendation identifies the
need for specific IW-D related capabilities and organizations to provide
or support the capabilities. While not specifically addressed by the Task
Force, virtual organizations that draw on existing assets and capabilities
can be established.

2a. Establish a center to provide strategic indications and warning, current
intelligence, and threat assessments. The SECDEF should request the DCI to:

2a(1). Establish an I&W/TA center at NSA with CIA and DIA support.

2a(2). Task and resource the Intelligence Community to develop the processes
for Current Intelligence, Indications and Warning, and Threat Assessments
for IW-D.

2a(3). Encourage the Intelligence Community to develop information-age
trade craft, staff with the right skills, and train for the information age.

2a(4). Conduct comprehensive case studies of U.S. offensive programs and
a former foreign program to identify potential indicator collection, funding,
training, etc,

2a(5). Establish an organization to examine and analyze probable causes
of all security breaches.

2a(6). Develop and implement an integrated National Intelligence Exploitation
Architecture to support the organization and processes.

In addition, the SECDEF should:

2a(7). Direct the development of IW Essential Elements of Information.

2b(3). Interface the operations center with Service and Agency capabilities
and I&W/TA support.

2b(4). Establish necessary liaison (e.g., with military and government
operations centers, service providers, intelligence agencies, and computer
emergency response centers).

2c. The SECDEF should establish an IW-D planning and coordination center
reporting to the ASD(C3I) with interfaces to the intelligence community,
the Joint Staff, the law enforcement community, and the operations center.
This center will: develop an IW planning framework; assess IW policy, plans,
intelligence support, allocation of resources, and IW incidents; develop
procedures and metrics for assessing infrastructure and information dependencies;
and facilitate sharing of sensitive information such as threats, vulnerabilities,
fixes, tools, and techniques within DoD and among government agencies, the
private sector, and professional associations.

2d. Establish a joint office for system, network and infrastructure
design. This office will: develop and promulgate IW-D policies,
architectures, and standards; design the information infrastructure for utility,
resiliency, repairability, and security; develop and implement an IW-D
configuration management process; and conduct independent verification of
design and procurement specifications to ensure compliance with the design.
The SECDEF should:

2d(1). Establish a joint security architecture/design office within DISA
to shape the design of the DoD information infrastructure.

2d(2). Establish a process to verify independently and enforce adherence
to these design principles.

2e. Establish a Red Team for independent assessments. The Red Team
would assess the vulnerabilities of new systems and services and would conduct
"IW-like" attacks to verify the readiness posture and preparedness of the
fighting forces and supporting activities. The SECDEF should:

2e(1). Establish a Red Team which is accountable to SECDEF/DEPSECDEF and
independent of design, acquisition, and operations activities.

2e(2). Develop procedures for employment of the Red Team.

3. Increase awareness (6.3). The Task Force strongly suggests the
need to make senior-level government and industry leaders aware of the
vulnerabilities and of the implications. To that end, the SECDEF should:

3b. Expand the IW Net Assessment recommended by the 1994 Summer Study
to include assessing the vulnerabilities of the DII and NII.

3c. Review joint doctrine for needed IW-D emphasis.

3d. Explore possibility of large-scale IW-D demonstrations for the purpose
of understanding cascading effects and collecting data for simulations.

3e. Develop and implement simulations to demonstrate and play IW-D effects
(USD(A&T) lead).

3f. Implement policy to include IW-D realism in exercises.

3g. Conduct IW-D experiments.

4. Assess infrastructure dependencies and vulnerabilities (6.4). Various
infrastructures are vitally needed to support mobilization, deployment, and
employment of forces and to control and sustain those forces. Some of these
interconnected infrastructures are known to have single points of failure.
Therefore, the SECDEF should:

4a. Develop a process and metrics for assessing infrastructure dependency.

4b. Assess/document operations plans infrastructure dependencies.

4c. Assess/document functional infrastructure dependencies.

4d. Assess infrastructure vulnerabilities.

4e. Develop a list of essential infrastructure protection needs,

4f. Develop and report to the SECDEF the resource estimates for essential
infrastructure protection.

5. Define threat conditions and responses (6.5). Conditions analogous
to DEFCON should be developed to provide a common understanding of IW threat
conditions. Appropriate responses to these conditions should also be developed
using the Task Force suggestions outlined in the report as a starting point.
The SECDEF should:

5a. Define and promulgate a useful set of IW-D threat conditions which
is coordinated with current intelligence community threat condition
definitions.

5b. Define and implement responses to IW-D threat conditions.

5c. Explore legislative and regulatory implications.

6. Assess IW-D readiness (6.6). A standardized process is necessary
to enable commanders to assess and report their operational readiness status
as it relates to their specific dependency on information and information
services. Using the standard vocabulary suggested by the Task Force, the
SECDEF should:

6a. Establish a standardized IW-D assessment system for use by CINCs,
MilDeps, Services, and Combat Support Agencies.

7."Raise the bar" with high-payoff, low-cost items (6.7). There are
a number of low-cost activities the Department can undertake to "raise the
bar" significantly for potential systems and network intruders. Three specific
Task Force recommendations are that the SECDEF should:

7a. Direct the immediate use of approved products for access control as
an interim until a MISSI solution is implemented and for those users not
programmed to receive MISSI products.

7b. Examine the feasibility of using approved products for identification
and authentication.

7c. Require use of escrowed encryption for critical assets such as databases,
program libraries, applications, and transaction logs to preclude rogue employees
from locking up systems and networks.

8. Establish and maintain a minimum essential information infrastructure
(6.8). A strategy and an overall architecture concept employing existing
core capabilities such as Milstar must be developed to serve as a means for
restoring services for critical functions and adapting to large- scale outages.
The SECDEF should:

8e. Issue direction to the Defense Components to fence funds for a Defense
MEII and failsafe restoration capability.

9. Focus the R&D (6.9). While many commercial and approved security
products are available to meet some of the Department's needs, these products
generally do not meet the Department's needs in large-scale distributed computing
environments and generally do not protect against denial of service attacks.
Therefore, the SECDEF should focus the DoD R&D program on the following
areas.

In addition, the SECDEF should work with the National Science Foundation
to:

9g. Develop research in U.S. computer science and computer engineering
programs.

9h. Develop educational programs for curriculum development at the
undergraduate and graduate levels in resilient system design practices.

10. Staff for success (6.10). A cadre of high-quality, trained
professionals with recognized career paths is an essential ingredient for
defending present and future information systems. The Task Force recommends
that the SECDEF:

10a. Establish a career path and mandate training and certification of
systems and network administrators.

11. Resolve the legal issues (6.11). The advent of distributed computing
has and will continue to further blur the boundaries of the systems and networks
that the Department uses. Confusion also stems from uncertainty over when
or whether a wiretap approval is needed. Government- wide guidance, and perhaps
legislation as well, are needed in the areas of Department assistance to
the private sector (e.g., Computer Security Act), tracing attackers of unknown
nationality (intelligence versus U.S. persons), tracking attackers through
multiple systems, and obtaining/requiring reports of computer-related incidents
from the private sector owners and operators of critical infrastructures.
The SECDEF should:

11a. Promulgate for Department of Defense systems:

Guidance and unequivocal authority for Department users to monitor, record
data, and repel intruders in computer systems for self protection,

Direction to use banners that make it clear the Department's presumption
that intruders have hostile intent and warn that the Department will take
the appropriate response.

11b. Provide to the Presidential Commission on Critical Infrastructure
Protection proposed legislation, regulation, or executive orders for defending
other systems.

12. Participate fully in critical infrastructure protection (6.12).
The Task Force makes the following recommendations to the SECDEF regarding
the activities of the President's Commission on Critical Infrastructure
Protection. Detailed suggestions for each of the below recommendations are
outlined in Section 6.12.

13. Provide the resources (6.13). The Task Force reviewed all of
the individual recommendations categorized under the key recommendations
and estimated to $5 million granularity what the implementation costs might
be. The cost estimate is $3.01 billion over fiscal years 1997 through 2001.
However, the Department should make a detailed estimate.

INTRODUCTION

The Task Force was formed in November of 1995. It met formally eight times.
Four individual panels were formed to address specific issues and each met
about the same number of times. During the course of the study, the Task
Force drew upon previous DSB Task Force efforts. Some recurring themes will
be pointed out later in the report.

The objective of the study was to make recommendations regarding the creation
and maintenance of specific aspects of a national information warfare defense
capability. Exhibit 1-1 shows the specific tasks outlined by the terms of
reference.

TOR #1 - Identify the information users of national interest who can be
attacked through the shared elements of the national information infrastructure.
This should include telecommunications, public transportation, financial
services, public safety, and the mission essential functions of the Department
of Defense.

TOR #2 - Determine the scope of national information interests to be defended
by information warfare defense and deterrence capabilities.

TOR #3 - Characterize the procedures, processes, and mechanisms required
to defend against various classes of threats to the national information
infrastructure and the information users of national interest.

TOR #4 - Identify the indications and warning, tactical warning, and attack
assessment procedures, processes, and mechanisms needed to anticipate, detect,
and characterize attacks on the national information infrastructure and/or
attacks on the information users of national interest.

TOR #5 - Identify the reasonable roles of government and the private sector,
alone and in concert, in creating, managing, and operating a national information
warfare-defense capability.

In addition to the Terms of Reference objectives, the Task Force was requested
to look at additional items of interest shown in Exhibit 1-2. The National
Research Council study was mandated by Public Law 103-160, Defense Authorization
Bill for Fiscal Year 1994, November 30, 1993. Pre-publication copies of this
report were released May 30, 1996. Because of the potential role of cryptography
in information warfare - defense (IW-D), the Task Force was encouraged to
review the NRC report in the context of the Task Force deliberations. To
avoid duplication and to provide additional focus to the study, the Task
Force received briefings on the study of the Global Information Infrastructure
sponsored by the Director of Central Intelligence. This excellent study effort
provided valuable insights into the global implications of defensive information
warfare.

During the Task Force deliberations, the President signed Presidential Decision
Directive 39 (late 1995) and Executive
Order 13010 (July 15, 1996). These established a President's Commission
on Critical Infrastructure Protection. The Commission was tasked to develop
a comprehensive national policy and implementation strategy for protecting
critical infrastructures from physical and cyber threats. The Task Force
was advised that after review and approval of the Task Force report by
OUSD(A&T), the Defense Science Board will forward its report to the
Commission as a "statement of DoD issues, concerns, requirements, and
recommendations."

Task Force members are shown in Exhibit 1-3. A variety of disciplines were
represented-academia, the telecommunications, banking, and aerospace industries,
systems integrators, former military -- and a number of members with former
government service. In order to examine the issues more closely, the Task
Force organized into four panels.

ENVIRONMENT

2.1 GROWING DEPENDENCY, GROWING RISK

The objective of warfare waged against agriculturally-based societies was
to gain control over their principal source of wealth: land. Military campaigns
were organized to destroy the capacity of an enemy to defend an area of land.

The objective of warfare waged against industrially-based societies was to
gain control over their principal source of all wealth: the means of production.
Military campaigns were organized to destroy the capacity of the enemy to
retain control over sources of raw materials, labor and production capacity.

The objective of warfare to be waged against information-based societies
is to gain control over the principal means for the sustenance of all wealth:
the capacity for coordination of socio-economic inter-dependencies. Military
campaigns will be organized to cripple the capacity of an information-based
society to carry out its information-dependent enterprises.

In the U.S. society, over 60 percent of the workforce is engaged in
information-related management activities. The value of most wealth
producing-resources depends on "knowledge capital" and not on financial assets
or masses of labor. Similarly, the doctrine of the U.S. military is now
principally based on the superior use of information.

"The joint campaign should fully exploit the information differential,
that is, the superior access to and ability to effectively employ information
on the strategic, operational and tactical situation which advanced U.S.
technologies provide our forces." [Joint Pub. 1, p. IV-9]

The military doctrines shaping U.S. force structure and operational planning
assume this information superiority. "Joint Vision 2010 focuses the strengths
of each individual Service on operational concepts that achieve Full Spectrum
Dominance" This technological view is shared in the Army's "Enterprise Strategy"
and "Force XXI Concept of Operations," the Navy's "Forward ... From the Sea,"
the Air Force's "Global Presence," and the Marine's "Operational Maneuver
from the Sea."

The capstone Joint Vision 2010 provides the conceptual template for how America's
Armed Forces will channel the vitality and innovation of our people and leverage
technological opportunities to achieve new levels of effectiveness in joint
warfighting. It addresses the expected continuities and changes in the strategic
environment, including technology trends and their implications for our Armed
Forces. lt recognizes the crucial importance of our current high- quality,
highly trained forces and provides the basis for their further enhancement
by prescribing how we will fight in the early 21st century. This vision of
future warfighting embodies the improved intelligence and command and control
available in the information age and goes on to develop four operational
concepts: dominant maneuver, precision engagement, full dimensional protection,
and focused logistics.

It is not prudent to expect the U.S. dependence on information-dominated
activities for wealth producing and for national security to go unchallenged.
In his book, Strategy: the logic of war and peace [ 1987, Belknap
Press, pages 27-28], Edward Luttwak notes:

The notion of an 'action-reaction' sequence in the development of new war
equipment and newer countermeasures, which induce in turn the development
of counter-countermeasures and still newer equipment, is deceptively familiar.
That the technical devices of war will be opposed whenever possible by other
devices designed specifically against them is obvious enough. Slightly less
obvious is the relationship (inevitably paradoxical) between the very success
of new devices and their eventual failure: any sensible enemy will focus
his most urgent efforts on countermeasures meant to neutralize whatever opposing
device seems most dangerous at the time.

The reality is that the vulnerability of the Department of Defense -- and
of the nation -- to offensive information warfare attack is largely a
self-created problem. Program by program, economic sector by economic sector,
we have based critical functions on inadequately protected telecomputing
services. In aggregate, we have created a target-rich environment and the
U.S. industry has sold globally much of the generic technology that can be
used to strike these targets.

Despite the enormous cumulative risk to the nation's defense posture, at
the individual program level there still is inadequate understanding of the
threat or acceptance of responsibility for the consequences of attacks on
individual systems that have the potential to cascade throughout the larger
enterprise.

A case examined in some detail by the Task Force was the dependence of the
Global Transportation Network on unclassified data sources and the GTN interface
to the Global Command and Control System (GCCS). GCCS will continue to increase
in importance as it becomes the system of systems through which CINCS, JTFs,
and other commanders gain access to more and different information sources.
Although GCCS has undergone selected security testing, much remains to be
accomplished. For example, security testing to date has focused principally
upon Oracle databases and applications evaluation. Other GCCS aspects need
thorough security testing; e.g., database applications (Sybase), message
functions and configuration management. GTN and GCCS are not unique
circumstances. The Global Combat Support System and a long series of Advanced
Concepts Technology Demonstrations currently shaping the future of C4ISR
follow a remarkably similar pattern: Well-intentioned program managers work
very hard to deliver an improved mission capability in a constrained budget
environment. The operators they are supporting do not emphasize security
and neither operators nor developers are held responsible for the contribution
their individual program makes to the collective risk of cascading failure
in the event of information warfare attack.

To reduce the danger, all defense investments must be examined from a network-
and infrastructure-oriented perspective, recognizing the collective risk
that can grow from individual decisions on systems that be connected to a
shared infrastructure. Only those programs that can operate without connecting
to the global network or those that can operate with an accepted level of
risk in a networked information warfare environment should be built. Otherwise,
we are paying for the means that an enemy can use to attack and defeat us.

The shift from the industrial age to the information age and the implications
are illustrated in Exhibit 2-1.

The United States formerly enjoyed a broad-based manufacturing foundation
to support other infrastructures and conventional and nuclear forces. With
the increasing dependence on information and information technology, that
broad-based foundation has been reduced to a rather narrow base of constantly
changing and increasingly vulnerable information and information technology.
Service and joint doctrine clearly indicate an increasing dependence of future
forces on information and information technology. However, the doctrine of
information superiority assumes the availability of the information and
information technology-a dangerous assumption. The published Service and
joint doctrine does not address the operational implications of a failure
of information and information technology.

By analogy, consider the protection implications of adding an aircraft carrier
to our force structure. The carrier does not deploy in isolation. It is
accompanied by all manner of ships, aircraft, and technology to ensure the
protection of the entire battle group: destroyers for picket duty, cruisers
for firepower, submarines for subsurface protection, aircraft and radar for
early warning, and so on. The United States must begin to consider the
implications of protecting its information-age doctrine, tactics, and weapon
systems. It can not simply postulate doctrine and tactics which rely so
extensively on information and information technology without comparable
attention to information and information systems protection and assurance.
This attention, backed up with sufficient resources, is the only way the
Department can ensure adequate protection of our forces in the face of the
inevitable information war.

2.2 INFORMATION WARFARE

Although this task force specifically examined IW-D, it also considered of
a few of the concepts behind offensive information warfare to help define
the battlefield upon which the defense must operate.

Offensive information warfare is attractive to many because it is cheap in
relation to the cost of developing, maintaining, and using advanced military
capabilities. It may cost little to suborn an insider, create false information,
manipulate information, or launch malicious logic-based weapons against an
information system connected to the globally shared telecommunications
infrastructure. The latter is particularly attractive; the latest information
on how to exploit many of the design attributes and security flaws of commercial
computer software is freely available on the Internet.

In addition, the attacker may be attracted to information warfare by the
potential for large non- linear outputs from modest inputs. This is possible
because the information and information systems subject to offensive information
warfare attack may only be a minor cost component of a function or activity
of interest-the database of the items in a warehouse costs much less then
the physical items stored in the warehouse.

As an example of why information warfare is so easy, consider the use of
passwords. We have migrated to distributed computing systems that communicate
over shared networks but largely still depend on the use of fixed passwords
as the first line of defense -- a carry-over from the days of the stand-alone
mainframe computer. We do this even though we know that network analyzers
have been and continue to be used by intruders to steal computer addresses,
user identities, and user passwords from all the major Internet and unclassified
military networks. Intruders then use these stolen identities and passwords
to masquerade as legitimate users and enter into systems. Once in, they apply
freely available software tools which ensure that they can take control of
the computer and erase all traces of their entry.

It is important to stress that strategically important information warfare
is not a trivial exercise of hacking into a few computers -- the Task Force
does not accept the assertions of the popular press that a few individuals
can easily bring the United States to its knees. The Task Force agrees that
it is easy for skilled individuals (or less skilled people with suitable
automated tools) to break into unprotected and poorly configured networked
computers and to steal files, install malicious software, or cause a denial
of service. However, it is very much more difficult to collect the intelligence
needed and to analyze the designs of complex systems so that an attacker
could mount an attack that would cause nation-disrupting or war-ending damage
at the time and place and for the duration of the attacker's choosing.

This is not to make light of the power of the common hacker "attack" methods
reported in the press. Many of these methods are sufficiently robust to enable
significant harassment or large- scale terrorist attacks. The Task Force
also acknowledges that malicious software can be emplaced over time with
a common time trigger or other means of activation and that the effect could
be of the scale of a major concurrent attack. While such an attack cannot
be ruled out, the probability of such is assessed to be low. Currently, however,
there is no organized effort to monitor for unauthorized changes in operational
software even though for the past 3 years unknown intruders have been routinely
been penetrating DoD's unclassified computers.

The above assessments do not mean that the threat of offensive information
warfare is low or that it can be ignored. The U.S. susceptibility to hostile
offensive information warfare is real and will continue to increase until
many current practices are abandoned.

Practices that invite attack include poorly designed software applications;
the use of overly complex and inherently unsecure computer operating systems;
the lack of training and tools for monitoring and managing the telecomputing
environment; the promiscuous inter-networking of computers creating the potential
for proliferating failure modes; the inadequate training of information workers;
and the lack of robust processes for the identification of system components,
including users. By far the most significant is the practice of basing important
military, economic and social functions on poorly designed and configured
information systems, and staffing these systems with skill-deficient personnel.
These personnel often pay little attention to or have no understanding of
the operational consequences of information system failure, loss of data
integrity, or loss of data confidentiality.

Information warfare defense is not cheap, nor can it be easily obtained.
It will take resources to develop the tools, processes, and procedures needed
to ensure the availability of information and integrity of information, and
to protect the confidentiality of information where needed. Additional resources
will be needed to develop design guidelines for system and software engineers
to ensure information systems that can operate in an information warfare
environment. More resources will be needed to develop robust means to detect
when insiders or intruders with malicious intent have tampered with our systems
and to have a capability to undertake corrective actions and restore the
systems.

Note that the appropriate investment in an information warfare defense capability
has no correlation with the investment that may have been made to obtain
an offensive information warfare capability. Information warfare defense
encompasses the planning and execution of activities to blunt the effects
of an offensive information warfare attack. However, the value of an investment
in information warfare defense is not a function of the cost of the information
or information system to be protected. Rather, the value of the defense is
a function of the value to the defender of an information-based activity
or process that may be subject to an information warfare attack.

If the defender leaves unprotected vital social, economic, and defense functions
that depend upon information services, then the defender invites potential
adversaries to make an investment in an offensive information warfare capability
to attack these functions. To provide a robust deterrent against such an
attack, an information-dependent defender should invest wisely in a capability
to protect and restore vital functions and processes and demonstrate that
the information services used are robust and resilient to attack.

Part of the challenge is that the rate of technology change is such that
most systems designers and in system engineers have their hands full just
trying to keep up -- never mind learning and applying totally new security
design practices. But the lack of such steps can cost. The organized criminals
that recently made a successful run at one of the major U.S. banks spent
18 months of preparation, including downloading application software and
the e-mail of the software designers, before they started to transfer funds
electronically.

It will cost even more, as well as raise significant issues of privacy and
the role of the government, to design a warning system for major institutions
of society such as the banks or air traffic control. Such a warning system
should, as a minimum, provide tactical warning of and help in the
characterization of attacks mounted through the information infrastructure.

Probably the biggest obstacle will be the difficulty in convincing people-whether
in commerce, in the military, or in government of the need to examine work
functions and operating processes. This examination should uncover unintentional
dependencies on the assumed proper operation of information services beyond
their control.

2.3 THE INFRASTRUCTURE

What is the National Information Infrastructure (NII)? The phrase "information
infrastructure" has an expansive meaning. The NII includes more than just
the physical facilities used to transmit, store, process, and display voice,
data, and images. It encompasses a wide range and ever-expanding range of
equipment: cameras, scanners, keyboards, telephones, fax machines, computers,
switches, compact disks, video and audio tape, cable, wire, satellites, optical
fiber transmission lines, microwave nets, switches, televisions, monitors,
printers, and much more.

The NII is not a cliff that suddenly confronts us, but rather a slope-one
that society has been climbing since postal services and semaphore networks
were established. An information infrastructure has existed for a long time,
continuously evolving with each new advance in communications technology.
What is different is that today we are imagining a future when all the
independent infrastructures are combined. An advanced information infrastructure
will integrate and interconnect these physical components in a technologically
neutral manner so that no one industry will be favored over any other. Most
importantly, the NII requires building foundations for living in the Information
Age and for making these technological advances useful to the public, business,
libraries, and other nongovernmental entities. That is why, beyond the physical
components of the infrastructure, the value of the NII to users and the nation
will depend in large part on the quality of its other elements:

The information itself, which may be in the form of video programming, scientific
or business databases, images, sound recordings, library archives, and other
media. Vast quantities of that information exist today in government agencies
and even more valuable information is produced every day in our laboratories,
studios, publishing houses, and elsewhere.

Applications and software that allow users to access, manipulate, organize,
and digest the proliferating mass of information that the NII's facilities
will put at their fingertips.

The network standards and transmission codes that facilitate interconnection
and interconnection between networks, and ensure the privacy of persons and
the security of the information carried, as well as the security and reliability
of the networks.

The people -- largely in the private sector -- who create the information,
develop applications and services, construct the facilities, and train others
to tap its potential. Many of these people will be vendors, operators, and
service providers working for private industry. Every component of the
information infrastructure must be developed and integrated if America is
to capture the promise of the Information Age.

We call out domains within this infrastructure by names that reflect the
interest of the user: the Defense Information Infrastructure of the defense
community; the National Information Infrastructure of the United States;
the complex, interconnected Global Information Infrastructure of the future
described so well to the Task Force by the representatives of the Central
Intelligence Agency. The reality is that almost all are interconnected.

DoD has over 2.1 million computers, over 10,000 LANS, and over 100 long-distance
networks. DoD depends upon computers to coordinate and implement aspects
of every element of its mission, from designing weapon systems to tracking
logistics. In field testing, DISA has determined that at least 65 percent
of DoD unclassified systems are vulnerable to attack. Consider how this state
come about.

The early generations of computer systems presented relatively simple security
challenges. They were expensive, they were isolated in environmentally controlled
facilities; and few understood how to use them. Protecting these systems
was largely a matter of physical security controlling access to the computer
room and of clearing the small number of specialists who needed such access.

As the size and price of computers were reduced, microprocessors began to
appear in every workplace, on the battlefield and embedded in weapons systems.
Software for these computers is written by individuals and firms scattered
across the globe. Connectivity was extended, first to remote terminals,
eventually to local- and wide-area communications networks, and now to global
coverage. What was once a collection of separate systems is now best understood
as a dynamic, ever-changing, collection of subscribers using a large,
multifaceted information infrastructure operating as a virtual utility.

These legacy computer systems were not designed to withstand second-, third-,
or "n"-order-level effects of an offensive information warfare attack. Nor
is there evidence that the computer systems presently under development will
provide such protection. The cost for "totally hardened" systems is prohibitive.
Security criteria at present presume that computing can be protected at its
perimeter, primarily through the encryption of telecommunications links.
However, internal security may be more important than perimeter defense.

It is not necessary to break the cryptographic protection used to protect
telecommunications and data to attack classified computing environments.
The legacy protection paradigm used by DoD was based upon the classification
of information. However, most classified computer systems contain, and often
rely on, unclassified information. This unclassified information often has
little or no protection of the data integrity prior to entry into classified
systems. The expected interaction between GCCS and GTN is an example of this.
An increasing number of DoD systems contain decision aids and other event
driven modules that, unless buffered from unclassified data whose integrity
cannot be verified, are at risk.

To cope with this new reality, the approach for managing information security
must shift from developing security for each individual system and network
to developing security for subscribers within the worldwide utility; and
from protecting isolated systems owned by discrete users to protecting
distributed, shared systems that are interconnected and depend upon an
infrastructure that individual subscribers neither own nor control.

Successful protection policies within this global structure must be sufficiently
flexible to cover a wide range of systems and equipment from local area networks
to worldwide networks, and from laptop computers to massively parallel processing
supercomputers. They must take into account threat, both from the insider
and the outsider, and must espouse a philosophy of risk management in making
security decisions.

These protection challenges are made more difficult by the rapid technological
and regulatory changes under way in the distributed computing environment.
The Telecommunications Act of 1996 is reshaping all aspects of interconnected
communications in the United States. Similar movements toward deregulation
are under way across the globe. Into this regulatory turmoil technology is
introducing new services based on a bevy of competing waveforms and protocols
for use over copper, coaxial, glass, and wireless mediums. To date, it is
not possible to predict how fragile or how robust the communications
infrastructure will be in the near term -- let alone the far future.

New computing technologies are being integrated into distributed computing
environments on a large scale even though the fragility of these technologies
is not understood. Recent examples include the post-deployment security flaws
found in Netscape Navigator and in Java applets; the ongoing market struggle
to dominate the building blocks for World Wide Web applications formed from
collections of objects distributed across clients and servers that is under
way between the Object Management Group's Common Object Request Broker
Architecture and Microsoft Corporation's Distributed Common Object Model
(each with a different approach to security); and a proposed future where
Microsoft would automatically deliver and install software updates onto the
customer's desktop without the customer's active involvement.

These environmental factors have serious implications for information warfare
defense. Within this rapidly changing, globally interconnected environment
of telecomputing activities it is not possible for a person to identify
positively who is interconnected with him or her or know the exact path a
message and voice traffic takes as it transits the telecommunications "cloud."
It is not possible to know technically or at the logical level how the various
software components on a computer- including the distributed applets downloaded,
used, and discarded-interact together. It is not possible to know for sure
if the various components installed in the computer hardware only do what
is asked of them. Finally, it is certainly not possible to know for certain
if a co-worker who shares authorized access to a telecomputing environment
is behaving appropriately.

In sum, we have built our economy and our military on a technology foundation
that we do not control and which, at least at the fine detail level, we do
not understand.

A few words about the environment are important to set the stage for later
discussions. DoD's information infrastructure is a part of a larger national
and global information infrastructure. These interconnected and interdependent
systems and networks are the foundation for critical economic, diplomatic,
and military functions upon which our national and economic security are
dependent. Exhibit 2-2 shows a few examples of those functions, the importance
of information and the information infrastructure to each, and the criticality
of functions such as coalition building in responding to a regional crisis.

The United States is an information and information systems dominated society.
Because of its ever-increasing dependence on information and information
technology, the United States is one of the most vulnerable nations to
information warfare attacks. The United States and its infrastructures are
vulnerable to a variety of threats ranging from rogue hackers for hire to
coordinated transnational and state-sponsored efforts to gain some economic,
diplomatic or military advantage. Exhibit 2-3 depicts some of the
vulnerabilities.

The military implications of this dependency was made abundantly clear when
it was suggested in one of the briefings presented to the Task Force that
points of failure had been identified for each of three infrastructures
(telecommunications, power, transportation) supporting a key port city in
the United States. If these individual locations were attacked or destroyed,
or in the case of power and telecommunications, if the resident electronics
were disturbed, it would impact the ability of military forces to deploy
at the pace specified in the Time Phased Force Deployment List.

And it is getting worse. Globalization of business operations brings with
it increased information and information system interdependence. Standardization
of technology for effectiveness and economies tends to standardize the
vulnerabilities available to an adversary. Regulation and deregulation also
contribute to growing vulnerability. For example, the Federal Communications
Commission has mandated an evolution toward open network architectures concept
which has as its goal the equal, user-transparent access via public networks
to network services provided by network-based and non-network enhanced service
providers. However, in execution, the concept makes network control software
increasingly accessible to the users-and the adversaries. Implementation
of the Telecommunications Act of 1996 will also require the carriers to collocate
key network control assets and to increase the number of points of
interconnection among the carriers. The Act also mandates third-party access
to operations support systems, providing even more possible points of access
to the critical infrastructure control functions. Similarly, the Federal
Energy Regulatory Commission's recent Orders 888 and 889 directed the
deregulation of the electric power industry. As part of Order 889, the electric
utilities are required to establish an Open Access Same-time Information
System (OASIS) using the Internet as the backbone.

Exhibit 2-4 illustrates the variety of network and computer system
vulnerabilities which can be exploited, starting with simply making too much
information available to too many people. The number of holes is mind-boggling
-- an indication of the complexity and depth of defensive information warfare
task!

Human factors

- Information freely available

- Poor password choices

- Poor system configuration

-Vulnerability to "social engineering"

Authentication-based

- Password sniffing/cracking

-Social Engineering

-Via corrupted/trusted system

Data driven

-Directing E-mail to a program

-Embedded programming languages

Microsoft word macro

Postscript printer

-Remotely accessed software

JAVA, Active-X

Software-based

-Viruses

-Flaws

-Excess privileges

-Unused security features

-Trap doors

-Poor system configuration

Protocol-based

-Weak authentication

-Easily guessed sequence numbers

-Source routing of packets

-Unused header fields

Denials of service

-Network flooding

-"Spamming"

-Morris worm

Cryptosystem weakness

-Inadequate key size/characteristics

-Mathematical algorithm flaws

Key Management

-Deducing key

-Substituting key

-Intercepting key

-Setting key

Bypassing

-Capture data before encryption

-Turn off encryption

-Replay

-Denial of service <

Exhibit 2-4. Vulnerabilities/Exploitation Techniques

Take, for example, "Remotely accessed software," which is found under "Data
Driven." Distributed software objects, such as JAVA and Active-X, are the
wave of the future. Rather than having software reside permanently in
workstations or desktop computers, the Internet will make applications and
data available as needed. The applications and data are deleted from the
workstations or desktop computers after use. The danger of this just-in-time
support is that the user has no idea as to what might be hidden in the code.
Another aspect of distributed computing is that the definition of system
boundaries becomes very blurred. This suggests considerable future difficulty
in defining what can and cannot be monitored for self- protection, an implication
discussed in Section 6.1 1, Resolve the Legal Issues, with legal recommendations.

The implication is that a risk management process is needed to deal with
the inability to close all of the holes. Since this subject has been treated
extensively by other study efforts (e.g., the Joint Security Commission)
the Task Force elected not to examine risk management.

2.4 THREAT

There is ample evidence from the Defense Information Systems Agency and the
General Accounting Office of the presence of intruders in DoD unclassified
systems and networks. Briefings and reports to the Task Force have reinforced
the DISA experience. Exhibit 2-5 shows some of the threats involved.

Unknown intruders are in DoD networks and computers

- Services and DISA experience

- GAO report

U.S. networks and computers are of significant interest

- CIA, DIA, and NSA briefings

FBI survey - "There is a serious problem"

Threat to the public switched network is significant

- NCS and NSTAC Growing interest in sharing sensitive information

- Government and industry Network Security Information Exchanges

- DoJ Industry Information Center

- Etc.

We can't let our confidence in technological superiority blind us to a
growing threat

Exhibit 2-5. The Threat is Real

The "1996 CSI/FBI Computer Crime and Security Survey," released to the public
earlier this year, concluded that "there is a serious problem" and cited
a growing number of attacks ranging from "data diddling" to scanning, brute-force
password attacks, and denial of service. The National Communications System
and the President's National Security Telecommunications Advisory Committee
have been warning since 1989 that the public switched network is growing
more vulnerable and is experiencing a growing number of penetrations. There
is also a growing interest in sharing sensitive vulnerability information
among private sector companies, among government agencies, and between government
and the private sector. However, sometimes the technology success we have
achieved and our faith in our technological superiority blinds us to the
growing threat and to our own vulnerabilities. Exhibit 2-6 depicts the Task
Force view of the threat.

-

Validated*
Existence

Existence
Likely but
not Validated

Likely
by 2005

Beyond
2005

Incompetent

W

-

-

-

Hacker

W

-

-

-

Disgruntled Employee

W

-

-

-

Crook

W

-

-

-

Organized Crime

L

-

W

-

Political Dissident

-

W

-

-

Terrorist Group

-

L

W

-

Foreign Espionage

L

-

W

-

Tactical Countermeasures

-

W

-

-

Orchestrated Tactical IW

-

-

L

W

Major Strategic Disruption of U.S.

-

-

-

L

* Validated by DIA W = Widespread; L = Limited

Exhibit 2-6. Threat Assessment

The incompetent threat is an amateur that by some means (perhaps by following
a hacker recipe or by accident) manages to perform some action that exploits
or exacerbates a vulnerability. This category could include a poorly trained
systems administrator who assigns privilege groups incorrectly, which would
then allow a more nefarious threat to claim more privileges on a system than
would be warranted.

The hacker threat implies a person with more technical knowledge who to some
degree understands the processes used and has the intent to violate the security
or defenses of a target to one degree or another. The hacker threat is broad
in motivation, ranging from those who are mostly just curious to those who
commit acts of vandalism.

The disgruntled employee threat is the ultimate insider threat: the individual
who is inside the organization and trusted. This threat is the most difficult
to detect because insiders have legitimate access.

When examining the potential for information warfare activities, the potential
for a criminal or nongovernmental attack for economic purposes must be
considered. Information is the basis for the global economy. Money is
information; only approximately 10 percent of the time does it exist in physical
form. As information systems are increasingly used for financial transactions
at all levels, it is natural to expect all levels of criminals to target
information systems in order to achieve some gain.

The increasing interconnectivity of information systems makes them a tempting
target for political dissidents. Activities of interest to this group include
spreading the basic message of their cause by a variety of means as well
as inviting others to actions. An example is the political dissident in this
country who sent out e-mails urging folks to send e-mail bombs to the White
House server.

By attacking those targets in a highly visible way, the terrorist hopes to
cause the media to provide a great deal of publicity of the action, thereby
further disseminating the message of fear and uncertainty.

A significant threat that cannot be discounted includes activities engaged
on behalf of competitor states. The purpose behind such attacks could be
an attempt to influence U.S. policy by isolated attacks; foreign espionage
agents seeking to exploit information for economic, political, or military
intelligence purposes; the application of tactical countermeasures intended
to disrupt a specific U. S. military weapon or command system; or an attempt
to render a major catastrophic blow to the United States by crippling the
National Information Infrastructure.

It is necessary to distinguish between what a layman might consider a "major
disruption," such as the three New York airports simultaneously being inoperable
for hours; and a "strategic" impact in which both the scope and duration
are of dramatically broader disruptions. The latter is likely to occur at
a time in which other contemporaneous events make the impact potentially
"strategic," such as during a major force deployment.

The Task Force struggled with the issue of what would truly constitute a
"strategic attack" or "strategic" impact upon the United States. The old
paradigms of "n" nuclear weapons, or threats to "overthrow the United States
per se," were marginally helpful in understanding the degree to which we
are vulnerable today to Information Warfare attack in all of its dimensions.
Couple this issue with the difficulty in assessing the real impact of cascading
effects through our infrastructures; on the one hand as being major nuisances
and inconveniences to our way of life, or on the other hand, as literally
threatening the existence of the United States itself, or threatening the
ability of the United States to mount its defenses.

The Task Force concluded that, in this new world, an event or series of events
would be considered strategic either because the impact was so broad and
pervasive, or because the events occurred at times and places which affected
(or could affect) our ability to conduct our necessary affairs. One example
we used to illustrate this latter point was a disruption in the area phone,
power, and transportation systems coincident with our attempts to embark
and move major military forces through that area to points abroad.

Few members of the Task Force felt that the power failures in several contiguous
Southwestern states this summer were a "major disruption" or of "strategic
impact" on the United States. Clearly they were inconveniences. However,
had we reason to believe that the outages had been knowingly orchestrated
by adversaries of the United States, this nation would have been outraged.

An issue related to our perceived vulnerabilities is the ability of an adversary
to actually plan and execute Information Warfare so that it creates the desired
impact. Our Task Force had many enlightening discussions about the potential
for effects to cascade through one infrastructure (such as the phone system)
into other infrastructures. This example is particularly important because
most of our other infrastructures rides on the phone system. No one seems
to know quite how, where, or when effects actually would cascade; nor what
the total impact might be. The Threat and Vulnerabilities Panel concluded
that if, with all the knowledge we have about our own systems, we are unable
to determine the degree to which effects would multiply and cascade; an adversary
would have a far more difficult task of collecting and assessing detailed
intelligence of literally hundreds, if not thousands, of networked systems
in order to plan and successfully execute an attack of the magnitude which
we would consider to be "strategic." The very complexity and heterogeneity
of today's systems provide a measure of protection against catastrophic failure,
by not being susceptible to the same precise attacks. Presumably, the more
kinds of attacks required, the harder it would be to induce cascading effects
that would paralyze large segments of this nation. This is not to say that
significant mischief is unlikely. It does suggest that the risk of an adversary
planning and predicting the intended results at the times and places needed
to truly disrupt the United States is considered low for approximately the
next decade.

The trade and news media regularly report on the penetration of businesses
and financial institutions by organized crime to steal funds, the theft of
telecommunications services, the theft of money via electronic funds transfer,
and the theft of intellectual property to include foreign government-sponsored
theft and transfer to offshore competitors of intellectual property from
U.S. manufacturing firms.

The media also reports instances of disgruntled employees, contract employees,
and ex-employees of firms using their access and knowledge to destroy data,
to steal information, to conduct industrial espionage, invade privacy-related
records for self-interest and for profit, and to conduct fraud. (An MCI employee
electronically stole 60,000 credit card numbers from an MCI telephone switch
and sold them to an international crime ring. MCI estimated the loss at $50
million.) Malicious activity by "insiders" is one of the most difficult
challenges to information assurance.

DISA reported that it responded to 255 computer security incidents in 1994
and to 559 incidents in 1995. Of these, 210 were intrusions into computers,
31 were virus incidents, and 39 fell into another category. This is probably
just the tip of a very large iceberg. Last year, DISA personnel used
"hacker-type" tools to attack 26,170 unclassified DoD computers. They found
that 3.6 percent of the unclassified computers tested were "easily" exploited
using a "front door" attack because the most basic protection was missing
and that 86 percent of the unclassified computers tested could be penetrated
by exploiting the trusted relationships between machines on shared networks.
Worse, 98 percent of the penetrations were not detected by the administrators
or users of these computers. In the 2 percent of the cases where the intrusion
was detected, it was only reported 5 percent of the time. This works out
to be less than one in a thousand intrusions are both detected and reported.
These detection and reporting statistics suggest that up to 200,000 intrusions
might have been made into DoD's unclassified computers during calendar year
1995.

Whatever the number, unknown intruders have been routinely breaking into
unclassified DoD computers, using passwords and user identities stolen from
the Internet, since late 1993. Once the intruders enter the computers
masquerading as the legitimate users, they install "back doors" so that they
can always get back into the computer. These intruders have gained access
to computers used for research and development in a variety of fields: inventory
and property accounting, payroll and business support, supply, maintenance,
e-mail files, procurement, health systems, and even the master clock for
one-fourth of the world. They have modified, stolen, and destroyed data and
software and have shut down computers and networks.

Such intrusions are not limited to DoD. Information age "electronic terrorists"
have penetrated commercial computers and data-flooded or "pinged" network
connections to deny service and destroy data to further their cause: an
environmental group sponsored such attacks to call attention to their message
and to punish a business with which they disagreed.

In the early 1980s an intruder required a high level of technical knowledge
to successfully penetrate computers. By the early 1990s automated tools for
disabling audits, stealing passwords, breaking into computers, and spoofing
packets on networks were common. These tools are easy to use and do not require
much technical expertise. Most have a friendly graphical user interface (GUI);
automated attacks can be initiated with a simple click on a computer mouse.

Such tools include:

RootKit - a medium technology software command language package which,
when run on a UNIX computer, will allow complete access and control of the
computer's data and network interfaces. If this computer is attached to a
privileged network, the network is now in control of the RootKit tool set
user.

SATAN - a medium technology software package designed to test for
several hundred vulnerabilities of UNIX-based network systems, especially
those which are client/server. However, the tool goes beyond the testing
and grants

WatcherT - a high technology Artificial Intelligence engine, which
is rumored to have been created by an international intelligence agency.
It is designed to look for several thousand vulnerabilities in all kinds
of computers and networks including PCs, UNIX (client/server) and mainframes.

More sophisticated attacks include plain text encryption of programs and
messages, that is using plain text to hide malicious code; disabling of audit
records; mounting attacks that are encrypted and that come from multiple
points to defeat security detection mechanisms; hiding software code in graphic
images or within spreadsheets or word processing documents; the insertion,
over time and by multiple paths, of multi-part software programs; the physical
compromise of nodes, routers, and networks; the spoofing of addresses; the
eavesdropping (installing "sniffers" on Internet routers) on telecommunications
and networks to obtain addresses and passwords for subsequent downstream
spoofing; and the modifications of packet transmissions on networks.

Hackers with a bent to cyber crime are actively recruited by both organized
crime and unethical business men, including private investigators who want
to access privacy-protected information. Such recruiting was intense at the
hacker convention DEFCON III, held August 4 to 6, 1995, in Las Vegas. Such
conventions also serve as a clearing house for hacker tradecraft. At DEFCON
III sessions were held on hacking the latest communications protocols (ATM
and Frame Relay); the development and distribution of polymorphic software
code (code that dynamically changes and adapts to the computer it is installed
on); the penetration of health maintenance organizations and insurance companies;
and the vulnerabilities of telephone systems. New services such as electronic
commerce, cyber cash, mobile computing, and personal communications services
are already areas of intense criminal interest.

The hackers and the cyber criminals are very efficient. The current state
of technology favors the attackers, who need only minimal resources to accomplish
their objectives. They have accumulated considerable knowledge of various
devices and commercial software by examining unprotected sites. This know-how
and tradecraft is transportable and is shared on the 400-plus hacker bulletin
boards, worldwide. This includes hacker bulletin boards sponsored by governments
(for example, the French intelligence service sponsors such a board). These
boards are also used to distribute very sophisticated user-friendly
"point-and-click" hacker tools that enable even amateurs to attack computers
with a high degree of success.

A CD-ROM entitled The Hacker Chronicles, Vol II, produced by P-80
Systems and available at hacker shows for $49.95, contains hundreds of megabytes
of "hacker" and information security information including automated tools
for breaking into computers. The package carries this warning notice:

The criminal acts described on this disk are not condoned by the publishers
and should not be attempted. The information itself is legal, while the usage
of such information may be illegal. The Hacker Chronicles is for information
and educational purposes only. All information in this compilation was legally
available to the public [readily available on the Internet] prior to this
publication.

Attacks are not just based on the use of smart tools. Simple social
engineering-impersonation and misrepresentation to obtain information-remains
very productive. The ruses are many: "cyber friend," providing a free software
upgrade that has been doctored to circumvent security, a "customer" demanding
and receiving support over the telephone from a customer-oriented firm.

Additional details on the Task Force assessment of the threat are provided
in Appendix A. Threat Assessment.

The nature of the danger is evident in an assessment of the current risk,
which is based on the presence of a threat; the vulnerabilities of our networks
and computing systems; the measures available to counter an attack; and the
impact resulting from the loss of critical information, information systems,
or information networks. This is depicted in Exhibit 2-7.

The Task Force believes that the overall risk is significant because of the
following factors:

The current threat is significant

The vulnerabilities are numerous

The countermeasures are extremely limited

The impact of loss of portions of the infrastructure could have catastrophic
effects on the ability of the Department to fulfill its missions.

OBSERVATIONS

The Task Force agrees with the observation of the Deputy Secretary shown
in Exhibit 3-1 below. This section discusses several areas in the Department
and in the larger national security environment where we can make rapid progress
on responding to this challenge.

"This is not a problem we will solve. It is one we can get a handle on. "
-- DEPSECDEF White

While information warfare is a national security issue that goes beyond
DoD, it is warfare and DoD must play a major role.

Information warfare is different

- IW attack objective is generally a critical function or a process
- targets include

Information

Computers

Systems

Networks

Facilities

People

- It's adaptive

Exhibit 3-1. Initial Observations

The threat posed by information warfare is not limited to the realm of national
defense, and the effort to control the problem must encompass broader national
security interests, including Congress, the civil agencies, regulatory bodies,
law enforcement, the Intelligence Community, and the private sector.

Unlike an attacker in conventional war, an attacker using the tools of
information warfare can strike at critical civil functions and processes
such as telecommunications, electric power, banking, or transportation and
other centers of gravity or even at the stability of the social structure,
without first engaging the military. Such a strategic information warfare
attack can occur without forewarning or escalation of other events. In addition,
attacks on the civil infrastructure could impede the actions of the military
as much as a direct attack on the military's force generation processes or
command and control.

However, we should not forget that information warfare is a form of warfare,
not a crime or act of terror. The Secretary of Defense individually and the
Department of Defense collectively, have two basic responsibilities -- to
provide for the "common defense" of the United States, and to be "ready to
fight ... with effective representation abroad" [A National Security Strategy
of Engagement and Enlargement, The White House, February 1996]. By first
focusing on improving its ability to manage the information warfare challenge
to the defense mission, the Department can meet its national defense
responsibilities while also enhancing its ability to play a significant role
in defending against and countering a strategic information warfare attack
on national centers of gravity.

Keep in mind that information warfare is not limited to attacks on computers:
The potential targets of information warfare attacks can include information,
information systems, people, and facilities that support critical
information-dependent functions. The means of attack can be both cyber and
physical. Finally, information warfare is adaptive and the practitioners
learn from their experiences. While this phenomenon is not unique to information
warfare, the speed at which the learning process takes place has no parallel
in other forms of warfare.

Exhibit 3-2 suggests some additional ways in which information warfare is
different from conventional warfare. Information warfare offers a veil of
anonymity to potential attackers. Attackers can hide in the mesh of
inter-networked systems and often use previously conquered systems to launch
their attacks. The lack of geographical, spatial, and political boundaries
in cyberspace offers further anonymity. Information warfare is also relatively
cheap to wage as compared to conventional warfare, offering a high return
on investment for resource-poor adversaries. The technology required to mount
attacks is relatively simple and ubiquitous. During an information warfare
engagement, the demand for information will dramatically increase while the
capacity of the information infrastructure to provide information may decrease.
The law, particularly international law, is currently ambiguous regarding
the definition of criminality in and acts of war on information infrastructures.
This ambiguity, coupled with a lack of clear designated responsibilities
for defense, hinders the development of remedies and limits response options.
Finally, deterrence in the information age is measured more in the resiliency
of the infrastructure than in a retaliatory capability.

Exhibit 3-3 shows that information warfare has been particularly troublesome
for the Intelligence Community because IW is a non-traditional intelligence
problem. It is not easily discernible by traditional intelligence methods.
Formerly, capabilities were derived from unique observables and indicators
of military capability open to our sensors, amenable to cataloging in databases,
and understandable by classic analytic techniques. With information warfare,
however, the following elements come into play:

The physical attributes of conventional and nuclear forces can be observed
and quantified. The alert posture and movement of forces provided indications
of potential threat. Our understanding of such patterns gained from long
experience in observing known adversaries, the orders of battle stored in
our databases, and the related analytic skills were well suited for understanding
historic threats and from such insights we derived "intent." These skills
are largely irrelevant in the information warfare environment.

Now, key technologies designed for completely innocent applications can be
used as weapons. For example, software used to test systems can also be used
to penetrate systems.

The technology required for information warfare is available everywhere.

However, the "business" or "war" processes that must be penetrated to determine
capabilities and intent are relatively complex, which means that human
intelligence and counter-intelligence will continue to play a vital role.
It is not easy to identify sources of attacks, intent, etc. in the information
age.

Finally, the technical skills required by our intelligence collectors and
analysts in order to deal with these new challenges are much broader and
deeper and more sophisticated than those required in the past. The intelligence
community will require more personnel with advanced scientific degrees and
a deep technical understanding of process, computer, and network design and
of leading-edge technologies to meet the challenge adequately.

The Task Force derived a taxonomy of information warfare that describes
information warfare. Unfortunately, as shown in Exhibit 3-4, in those cases
where both objects and processes are present, this taxonomy would not scale
in a linear manner beyond three levels. This is the result of the number
of permutations and combinations by which the attacks could be mounted against
a particular process, over variable time periods. The derivation of the taxonomy
is discussed in Appendix C, A Taxonomy for Information Warfare?

However, by adopting concepts from Joint Pub sources and inputs of the Threat
and Policy Panels of the Task Force, we developed a standard vocabulary for
use in threat alerting and for the assessment and reporting of defensive
preparedness, tied to specific information dependent processes. This vocabulary
is discussed in Section 6, Recommendations.

- Focus on solving political or social problems before addressing IW-D

Acquisition policy and practices pose dilemmas

- Current practices trade off security

Functionality, performance, number of systems

- Policy is clear

DODD 5000.1 and DODD 5000.2-R emphasize IW

Exhibit 3-4. Additional Observations

Resources have been focused historically on protecting classified content
and systems. These classified systems constitute only a very small percentage
of the challenge.

Sometimes, we just make the problem too hard by failing to focus on what
can and should be done. We can focus too broadly, too narrowly, or on the
wrong problem set.

The reality of limited resources has fostered the current acquisition practice
of trading off functionality, performance, and numbers of systems delivered
to the operating forces at the expense of security. On a positive note, recent
policy updates clearly state the need for attention to the information warfare
aspects of systems acquisition. For example, DODD 5000.1 indicates that
acquisition programs should consider how systems security procedures and
practices will be implemented and how the system will be able to respond
to effects of information warfare. The Directive also calls for a C41 Support
Plan for each system. The Task Force was disappointed to note, however, that
the Support Plan does not include information warfare considerations. DODD
5001.2-R also specifies that the operational requirements documents must
include the characteristics the system must have to defend against and survive
an information warfare attack.

Bottom line -- policy exists, it is not yet uniformly implemented or enforced,
and it requires resources in implementation.

Exhibit 3-5 suggests that infrastructure resilience has been demonstrated
repeatedly during natural disasters, but overall robustness against a major
IW attack is untested. Thus, national infrastructure recovery must be considered
uncertain. Given the complexity and interconnected nature of our infrastructures,
we really do not know the extent of our vulnerability. The possibility of
cascading effects occurring throughout and between infrastructures certainly
exists. This was adequately demonstrated in the 1991 regional long-distance
telephone failures (attributed to a simple programming error), the recent
West Coast power failures, and the 1988 Morris worm propagation throughout
the Internet (damage was limited to UNIX systems demonstrating the value
of system diversity). The Morris worm example is noteworthy in that warnings
of the worm were often sent over the Internet because emergency response
personnel did not have the telephone numbers of colleagues in other organizations
to whom the warnings needed to be sent. In many cases, these electronic warnings
carried the worm with them and aided the propagation of the worm.

Cascading effects have occurred, are difficult to predict

- Infrastructure robustness untested

- Infrastructure recovery uncertain

Area and perimeter defenses are not sufficient!

- Resiliency and repairability are critical to information survivability

- Information domains are essential

- Scale of IW-D for a distributed computing environment not well understood

Easy technical solutions are not apparent

Exhibit 3-5. Additional Observations

The concept of protecting large portions of the information infrastructure
is not valid. It is economically and technically impossible to close every
possible vulnerability. We need to focus on designing a resilient and repairable
information infrastructure. Our experience in designing highly reliable computer
systems does not scale to a large, distributed information infrastructure.
Our design practices are not based on the possibility of malicious events.
We need to focus on establishing information domains within the information
infrastructure, which will minimize cascading effects and which will enable
us to contain the battle damage which might result from an information warfare
attack. And, since we cannot yet effectively employ area and perimeter defenses,
we do not really know what the implications of scale are in establishing
an effective information warfare (defense) capability.

The Task Force does not want to imply that the various actions taken over
the years by the information security or INFOSEC community do not have roles
in IW defense. INFOSEC is an important contributor to achieving a robust
information warfare defense capacity. Unfortunately, to many, INFOSEC has
become shorthand for protecting the confidentiality of information.

Although important, the steps needed to ensure confidentiality are not adequate
to achieving information assurance in an information warfare environment.

Encryption may be an example of trying to make the problem too hard, as shown
in Exhibit 3-6. The nation has focused a lot of attention and energy on the
encryption policy debate. Encryption simply does not solve all of the information
security problems. The Task Force believes the policy debate has been a
distraction from efforts to enhance the resiliency of the critical national
information services.

Encryption is useful...

- But

It's not a panacea

It doesn't protect against denial of service attacks

It's been a distraction

Task Force believes access control and identification and authentication
are many times more effective than encryption in "raising the bar"

- And the NRC report provides useful insights

Non-confidentiality applications require more emphasis

- User authentication

- Data integrity

Explore escrowed encryption

Promote information security in the private sector

Exhibit 3-6. Additional Observations

The Task Force reviewed the NRC report and was briefed on the study effort.
While the Task Force felt that the report provided some useful insights,
namely that the non-confidentiality applications of encryption provide
significant benefit for user authentication and data integrity, the Task
Force also believes that access control and identification and authentication
are more efficient than encryption in "raising the bar." It also suggests
that escrowed encryption be explored and that attempts be made to promote
information security in the private sector. On the basis of the review and
briefing, the Task Force determined that a further detailed examination of
the encryption issue would probably not yield any additional major insights.

The Computer Security Act of 1987, the recent Clipper debate, and the continuing
encryption policy debate highlight the private sector and civil agency
reservations about the role of DoD in the area of national information
protection. Exhibit 3-7 shows this role.

Market forces are extremely powerful, but will not alone provide the capability
desired. The market simply does not perceive the possibility of a strategic
information warfare attack against information centers of gravity. The market
is not sufficiently informed about the vulnerabilities and threat to make
rational national security judgments. Further, there may be little economic
motivation to invest in security or even strong market incentives to resist
adding security. Where there is commercial awareness, it is focused on protecting
against theft of data and services (e.g., credit card numbers, telephone
service) and alteration of data (e.g., financial accounts). Denial of service
attacks are not an area of major concern for commercial entities. Managing
the problem will require some legislation, some additional regulation, some
indemnification of the private sector to achieve desired assurance goals,
and some incentives (such as revisions to the tax structure).

The seams are critical. Currently, information necessary for an effective
information warfare (defense) capability is not shared effectively across
the seams. Information warfare (offense) is highly compartmented in spite
of the fact that it shares common technology and operating environment with
the information warfare (defense) community. In some cases, the military,
law enforcement and intelligence communities are restricted by law, executive
order, or regulation from sharing certain information. Historically, these
communities are notoriously bad at sharing information. There are very few
mechanisms for government and industry to share sensitive information such
as vulnerabilities and intrusions. This lack derives primarily from the
competitive sensitivity of information that is required for an effective
information warfare (defense) capability.

In addition, at the national level, there are competing equities at stake
in nearly every information warfare issue. Not only do these interests compete
among each other, there are competitive forces within each of the sectors.
Some examples are shown for each of the four equities. Resolution of the
information warfare (defense) issues at the national level will be a time-
consuming and laborious process. While it may not be possible to balance
the equities, the key is to provide a mechanism to discuss rationally and
deal with the legitimate equities of the participants. Grappling with this
problem on the national level will require a very broad perspective if we
are to ensure that national, regional, and local interests are served.

While information warfare (defense) is an extremely complex problem set,
there is a lot that can be done with a limited number of resources quickly.
Many of the Task Force recommendations identify these possibilities, some
of which are shown in Exhibit 3-8.

However, a lot can be done

- Awareness, training and education and clarity of organizational responsibility
and accountability are seen as yielding the largest short- term improvements

- We're not applying the knowledge we have

And DoD must start now!

- Can't wait for the Presidential Commission to report out

Exhibit 3-8. Additional Observations

Finally, DoD must start now to implement the recommendations of the Task
Force. This is the third year in a row that a task force of the Defense Science
Board has issued a call for action. The President's Commission will be occupied
with issues that transcend the Federal government and the private sector.
DoD cannot afford to wait for all of these higher level issues to be resolved
before embarking on a concerted effort to grapple with those issues that
are within the authority of the Secretary of Defense to address.

WHAT SHOULD WE DEFEND?

Determination of what to defend should follow from our nation's vital interests
as documented in the current national security strategy. On the basis of
these interests, the Task Force postulated the goals shown in Exhibit 4-
1. Given the available time, it was not possible for the Task Force to address
each of these goals in detail. However, the Task Force did develop a set
of national-level defensive information warfare interests based on these
goals.

Vital interests (A National Security Strategy of Engagement and
Enlargement,
The White House, February 1996)

-Enhance our security with military forces that are ready to fight and with
effective representation abroad

-Bolster America's economic revitalization

-Promote democracy abroad

Goals

-Stable monetary, financial and banking systems which enjoy public
confidence

-Free trade

-Continuity of government and constitutional authority

-Personal privacy

-Ability to deploy, employ and support military forces

-Protected intellectual property

-Venue for resolution of policy issues among government, individuals
and the private sector

-Availability of emergency services for any emergency, natural or
man-made

-National standards for "reasonable" protection regimes for public
and private networks

-Stimulate research, development and application of technologies
for IW-D

Exhibit 4-1. National Goals For Information Warfare (Defense)

Exhibit 4-2 indicates the national interests that must be defended. The emphasis
is on defending critical functions and processes, not on defending forces,
platforms, or geography. As was the case in developing an ensured means of
control for the strategic nuclear deterrent, some critical information
infrastructure capabilities must be isolated from the interconnected national
and global information infrastructure to ensure it is available to support
and manage the restoration of critical functions.

The strategic nuclear deterrent

Continuity of government

Information warfare indications and warning

Minimum essential information infrastructure to manage and carry out
restoration of critical functions

Other critical DoD and national (civil) functions and infrastructures
based on importance and resources available

- Critical DoD functions

Operations

Deployment

Sustainment

Mobilization

- Other critical national functions

Banking

Commerce

Government services

Etc.

- Portions of infrastructures supporting the critical functions

Financial networks

Electric power

Emergency services

Gas and oil storage and distribution

Government operations

Telecommunications

Transportation

Water supply

Exhibit 4-2. The National Interests

The Department must preserve its ability to fulfill its basic missions. To
do that, DoD must be concerned about the ensured operation the critical functions
and availability of information necessary to fulfill those missions. The
intertwined nature of the functions and infrastructures make this very complex.
Critical national functions that have possible national security implications
must be defended, and those portions of the infrastructures that are necessary
for the operation of critical DoD and national functions must also be defended.

HOW SHOULD WE DEFEND?

5.1 PROCEDURES, PROCESSES AND MECHANISMS

Exhibit 5- l depicts the essential procedures, processes, and mechanisms
for IW-D. They are based on the defensive information warfare implementation
model developed by the Information Assurance Division of the Joint Staff
J6. An essential step in preparing an information warfare defense is the
identification of critical national information functions and the information,
information services, and infrastructures upon which these functions depend.

The first order of business is to deter information warfare attacks. This
deterrence must include a national will as expressed in law and conduct,
a declaratory policy on consequences of an information warfare attack against
the United States, and an indication of the resiliency of the information
infrastructure to survive an attack.

The most immediate need is to provide some form of protection. This protection
might include physically isolating information, providing some form of access
control and authentication of personnel performing critical functions or
accessing information, or encryption of the information. As time permits,
the information infrastructure supporting critical functions should be designed
for utility, resiliency, repairability, and security. An equally important
function is to verify through independent assessments that the design is
being followed, that protective measures are being implemented where appropriate,
and that the information warfare (defense) readiness posture is as reported.

As suggested in the Task Force observations, the importance of intelligence
support to information warfare (defense) cannot be overemphasized. This support
must include strategic indications and warning of potential information warfare
attack, timely and accurate threat assessments, and current intelligence
support in the event of an information warfare attack.

The essence of tactical warning is monitoring, detection of incidents, and
reporting of the incidents. Monitoring and detection of infrastructure
disruptions, intrusions, and attacks are also an integral part of the information
warfare (defense) process. Providing an effective monitoring and detection
capability will require some policy initiatives, some legal clarification,
and an ambitious research and development program, all of which will be addressed
later in the report. All intrusions and incidents should be reported so that
patterns of activity can be established to aid in strategic indications and
warning. The FCC requirement to report telephone outages of specified duration
affecting more than a specified number of customers serves as a model in
this regard.

It is probable that the telecommunications infrastructure will be subject
to some form of attack. We should have some capability to limit the damage
that results and to restore the infrastructure. Little research has been
devoted to the basic procedures necessary to contain "battle" damage, let
alone to the tools which might provide some automated form of damage control.
Restoration of the infrastructure assumes some capability to repair the damage
and the availability of resources such as personnel, standby services contracts,
and the like.

Finally, information warfare (defense) should include some form of attack
assessment to aid in determining the impact of an attack on critical functions
and in determining the appropriate response to an attack.

A key point not reflected in the exhibit is that this process must be a
distributed process. The basic functions of monitoring, detection, damage
control, and restoration must begin at the lowest possible operating level.
Reports of the activity must be passed to regional and DoD-level organizations
to establish patterns of activity and for assistance as needed in damage
control and restoration.

5.2 STRATEGY

We will use the following strategy to achieve this capability for the Defense
Information Infrastructure:

Address infrastructure, not just system or network, protection. The design
of systems and networks is generally based on efficiency considerations.
Infrastructure protection must be based on effectiveness considerations.

Manage DII risk. It is impossible to pay the cost of avoiding risk to the
DII. Protection of the DII must be based on both effectiveness and efficiency
considerations.

Protect information commensurate with its intended use. In certain circumstances,
unclassified but sensitive information (weather and terrain data) may have
more tactical significance than classified information (e.g., outdated
intelligence estimates).

Integrate policy, technical, operational, and personnel aspects. Each of
these aspects is treated separately for the various communications, information,
and security disciplines. They must be integrated for both efficiency and
effectiveness.

Use Service/Agency core competencies. All ongoing relevant activities must
be reviewed to preclude reinventing the wheel.

Build on current programs and initiatives. Use the ongoing information security
activities and programs and those of related security disciplines as the
foundation for achieving an IW-D capability.

Emphasize solutions to the traditional weak link--the person. Nearly all
espionage convictions are based on an inside threat. IW-D activities must
address this issue head on.

Harmonize IW-D, OIW, INFOSEC, and intelligence support functions. These closely
related functions are based on many common technologies and processes and
must be mutually supporting.

Harmonize activities to protect the NII, the GII, and the DII. Work toward
a consistent approach and economies of scale in protecting these highly
interconnected infrastructures.

RECOMMENDATIONS

The key recommendations are those which can be implemented by the Secretary
of Defense. Other recommendations are included which the SECDEF should make
to the Director of Central Intelligence, and those which relate to the
President's Commission on Critical Infrastructure Protection or the
Infrastructure Protection Task Force.

6.1 DESIGNATE AN ACCOUNTABLE IW FOCAL POINT

This is the most important recommendation the Task Force has to offer. Multiple
lead organizations with no clear principal staff assistant have led to confusion
and slow progress to date. Boards and councils are important for discussing
the issues, but have not and cannot provide the needed focus. Although many
of the tools used to carry out information warfare have been around for a
long time, the nature of information-dominated societies and activities makes
it appropriate to view information warfare as a new warfare area. Information
warfare is not the sole responsibility of the Chief Information Officer,
the Assistant Secretary of Defense for C3I, the Director of Central Intelligence,
the Chairman of the Joint Chiefs of Staff, the Secretaries of the Military
Departments, or the Service Chiefs. Each of these is, however, responsible
for a portion of this new warfare area. The Secretary of Defense, however,
needs a single person and office to plan and coordinate this complex activity,
as well as to serve as a single focal point charged to provide staff supervision
of the complex activities and interrelationships involved. This includes
oversight of both offensive and defensive information warfare planning,
technology development, and resources. Given the interconnected nature of
the information infrastructures, it is critical that the left hand knows
what the right hand is doing and that these complex activities are coordinated.

This single focal point should be required to report regularly on the state
of the areas shown and provide the informed interaction to other interagency
and intergovernmental IW-related activities as shown in Exhibit 6-l.

Confusion and slow progress to date

Boards and councils have not provided a focus

Information warfare is a new warfare area

-It is not Intel, C2, CIO

Charge focal point to "pull it all together"

-Staff supervision of both offensive and defensive IW

-Promulgate integrated policy

-Ensure development of information warfare theory, doctrine and practice

The Task Force recommends that the Secretary of Defense designate a focal
point for the coordination of information warfare. While the focal point
could be any of the existing Under Secretaries or Assistant Secretaries,
the Task Force recommends that the focal point be the Assistant Secretary
of Defense for C3I. The first order of business for the focal point should
be to develop a plan of action to obtain the needed capabilities. The focal
point should also report the Department's IW status annually to the SECDEF.
The focal point should be given authority to issue instructions. The long
view suggests the eventual need for an Under Secretary of Defense for
Information. While the Task Force does not make such a recommendation at
this time, there was strong sentiment within the Task Force in support of
organizing for the long view. The Task Force also recommends that a Deputy
Assistant Secretary reporting to the ASD(C3I) be named and provided an adequate
supporting staff to assist in providing the necessary staff oversight and
coordination of information warfare activities. The Task Force hope is that
as many IW-related functions as possible would be consolidated under this
individual.

6.2 ORGANIZE FOR IW-D

Before discussing specific organizational recommendations, this section briefly
discusses what the Task Force views as necessary capabilities for IW-D. Exhibit
6-2 shows the capabilities the Task Force determined are necessary for an
effective information warfare (defense) and which are not adequately addressed
in the Defense Department's current information warfare (defense) planning.

1. Intelligence indications and warning, current intelligence and
threat assessment

2. Operations (911)

3. Planning and coordination (411+)

4. System, network and infrastructure design

5. Independent assessments

Exhibit 6-2. Organize for IW-D

Section 3, Observations, addressed the need for intelligence indications
and warnings, current intelligence, and threat assessment. A specific
recommendation which addresses the needed improvements in intelligence support
to information warfare (defense) follows.

"Operations" as used in Exhibit 6-2 is shorthand for those time-sensitive
activities necessary for dealing with an actual intrusion or attack. While
not fully analogous, the Task Force sometimes refers to these capabilities
as 91l or emergency response capabilities. Remember that these operations
capabilities must be distributed throughout the Department--down through
the Military Departments and Services and the Defense Agencies and through
the CINCs to the operating forces.

"Planning and coordination" is shorthand for preparedness activities. The
Task Force has taken to referring to these capabilities as enhanced 411 or
41l + capabilities. Once again, the analogy is not completely accurate since
it does not convey what will certainly be a broader interactive capability,
but it does help to make quick associations with intended capabilities.

One of the more critical needs is a continued capability to obtain an independent
assessment of our information warfare (defense) posture. While these assessments
can be carried out at any level, it is felt that there should be a capability
established which is accountable directly to the SECDEF/DEPSECDEF. In addition,
the organization established to provide this capability should be staffed
with people who are knowledgeable of all types of threats and of both the
DoD and private sector environments.

6.2.1 Establish a Center For Intelligence Indications and Warning, Current
Intelligence, and Threat Assessments

Current intelligence resources and processes are not optimized to provide
an understanding of threats and potential adversary capabilities to conduct
Information Warfare; nor are they presently capable of providing either
Indications and Warning or Attack Assessment of Information Warfare. An
understanding of the IW process and indications of an IW attack will most
probably require an unusual amalgamation of otherwise seemingly unrelated
sets of data. The lack of previously identified and validated indicators
for IW creates several additional difficult dimensions to the problem facing
the Intelligence and Defense communities' efforts to understand all aspects
of IW.

The United States has, over nearly four decades, identified many sets of
data comprising indicators of activities by potential adversaries
(communist-bloc). These indicators have provided the foundation of our
intelligence assessment and indications and warning processes. Examples of
these include known and understood development processes and cycles for military
equipment's ranging from ICBMs to submarines to bomber aircraft. Thus, if
we observed earth spoil on overhead imagery indicating a possible new heavy
ICBM silo was under construction, we could adjust our threat understanding
accordingly. Similarly, we might observe Soviet Missile Range Instrumentation
Ships moving toward areas of the Pacific Ocean known (from prior observations)
to be used by Russia as an impact area for ICBM tests; and we would conclude
that a missile test was in the offing. Or, if a Mediterranean nation began
to import chemicals which could be used either in fertilizer or in chemical
agents for war; we could be on the alert for other indications of chemical
gas production such as special buildings, storage facilities or personalities
known to possess technical knowledge necessary to produce chemical weapons.

In a more operational vein, over time, we began to understand communist-bloc
strategy, doctrine, and tactics as well. All of this knowledge was gained
from a series of observations over several years. We were able to use this
knowledge as we planned for combat and designed and executed wargames. Over
four decades, with the expenditure of billions of dollars for collection,
analysis, and reporting systems were optimized to deal with these known,
discrete indications of activity. These "known indicators" permitted us to
conduct intelligence assessments, Indications and Warning, and in some cases,
attack assessments.

There were several factors involved in our gathering these data sets. The
first is that we (and others) have made enough similar observations to establish
"patterns of activity." Secondly, these observations have either caused us,
or permitted us, to identify a number of discrete activities that we conclude
are indicative of the "entire pattern," or significant segments of the pattern.
Thirdly, having noted one or more of the discrete indicators, we know what
other indicators to look for to corroborate our suspicions.

Information Warfare is a whole new game from the Intelligence dimension.
We have precious few real data from which to derive "patterns of activity."
This is made all the more difficult because so many of the "indicators" we
have used in the past have involved some physical phenomena. In IW, at least
in the computer and networked components of it, evidence of IW is fleeting
at best and is usually not physically observable. The Intelligence Community
is working hard to address some of these issues; but progress is hampered
by organizations, processes, and systems optimized for situations found in
the past, not the future. Evidence of IW preparations or attacks is most
likely to come from a wide variety of sources and venues: from the more than
50 Computer Emergency Response Teams (CERT) around the world, from nodes
of different segments of our National Information Infrastructure, from academia,
from the Internet, from law enforcement agencies, from FEMA, and of course
from traditional Intelligence Community resources such as human, signals,
and open source intelligence. The Defense Science Board believes that some
new approaches to collection and analysis are urgently needed.

The intelligence community understands as well as any that they face a tremendous
challenge in developing information-age intelligence support activities.
Some of the Task Force observations regarding these challenges were discussed
earlier in the report and are shown in Exhibit 6-2-l . It is no easy matter
to pinpoint the requirements, identify observables, establish patterns and
indicators of the patterns, identify sources of the indicators, or determine
how the sources will be exploited to collected information necessary to develop
the indicators.

Exhibit 6-2-1. Establish a Center for Intelligence Indications and Warning,
Current Intelligence, and Threat Assessments

The recommendation to establish the center at NSA recognizes their role in
electronic intelligence and is meant to build upon recent organizational
efforts at NSA. However, NSA must be augmented by DIA and CIA personnel because
of the extensive social engineering component of information warfare. The
Task Force believes it is essential to keep separate the intelligence and
operations functions. The reason for the separation is that these functions
are different. The intelligence community focuses on strategic warning and
the operations community focuses on continuity of service and the warning
and response to immediate danger.

The Task Force believes the recommendations in Exhibit 6-2-l are key to improving
the intelligence support to defensive information warfare. While there has
been some activity in these areas, the whole process needs a significant
jump start. In addition, representatives from the intelligence community
pointed to the lack of Essential Elements of Information (EEIs) from the
operational community as a contributing factor to the intelligence challenge.
This should not be an inhibitor to progress.

There may, in fact, be a need to form a National Center for Indications and
Warning. This center would gather and analyze monitoring data continuously.
The data would be derived from commercial infrastructure systems as well
as government. The center could be charged with searching for and detecting
early signs and precursors of a wide scale, coordinated attack and with providing
warnings to U.S. government and private sector organizations. Toward that
end, a phased approach would be appropriate, beginning with a DoD-specific
organization which is scalable and extensible, and evolving towards a
pan-government and private sector organization. Roles of the organization
should include gathering and analyzing of voluntarily contributed data,
disseminating of findings, and acting as a clearing house to coordinate feedback
and responses from the community.

6.2.2 Establish a Center for IW-D Operations

The basic required defensive information warfare operations functional
capabilities are shown in Exhibit 6-2-2. The terms tactical warning and attack
assessment are familiar to the strategic nuclear forces. They fit in the
information warfare context consistent with the definitions in Joint Pub
1-02, Dictionary of Military Terms. Providing these capabilities in the
information-age context, however, is very different than the nuclear era.
Emergency response and infrastructure restoration are self-explanatory.

The Chairman has already undertaken an effort to establish a military operations
center and has instructed the CINCs to establish IW cells within their staffs.
The military operations center will consist of two elements. First, a small
cell will be established in the J3 and will be staffed during normal duty
hours. During crises, the J3 cell will have specific authorities over the
second element, the Joint Information Warfare Center. The Joint Information
Warfare Center will be staffed 7 days a week, 24 hours a day, and will serve
as the interface to organizations such as the CINC IW cells, the Joint Spectrum
Center, the Joint Warfare Analysis Center, the Joint Command and Control
Warfare Center, and the Service IW organizations.

The distinction to be made between the military IW center and the defensive
information warfare operations center is that the military center will focus
on military operations of a time-sensitive nature. The defensive information
warfare center will be focused on the Defense Information Infrastructure
and other critical infrastructures as appropriate.

While the Task Force recommends that the center be established at DISA, current
technology certainly provides for establishing a virtual center. This virtual
center would draw on support from geographically dispersed elements. Initial
staffing should come from existing assets. As suggested earlier, this operations
capability must be distributed down and throughout the Department, linking,
for the most part, existing operations centers, emergency response teams
and so on. The Task Force envisions eventual links to other government centers
including any that may result from the actions of the Infrastructure Protection
Task Force recently created by Executive Order 13010.

Establishing the center is relatively easy. Developing and implementing the
process and procedures to be used will be much more difficult; there has
been almost no effort devoted to this area. One suggestion the Task Force
makes is that eventual staffing and procedures take advantage of technical
expertise available in the national guard, the reserves, mobilization augmentees,
and contractors. Mandatory reporting sounds easy but may be difficult to
implement because of a basic fear by those reporting that they will be held
accountable for the intrusion or incident and that they will have to pay
to fix the problem. Mandatory reporting may have to be accompanied with some
form of inducements such as a "fix it free" offer. It will also be necessary
to distribute these capabilities throughout the Department and establish
an information channel with the indications and warning/threat assessment
center for sharing of information essential to the performance of each center's
mission.

If national-level centers for infrastructure protection are established as
a result of the recommendations of the President's Commission on Critical
Infrastructure Protection, then the Department should ensure appropriate
interfaces are established between DoD functions and these centers.

The tentacles of this Operations Center should be virtually extended to every
organization in DoD, ranging in scope from a single person serving as point
of contact for the organization to having an emergency response cell located
with the organization.

DISA should establish a threshold of information event that requires reporting
to the Operations Center. Every information event reaching that threshold
must be reported and penalties established to enforce that reporting. DISA
should maintain a knowledge base of that reporting and ensure all response
personnel are appropriately trained and informed.

6.2.3 Establish a Center for IW-D Planning and Coordination

The role of the planning and coordination center, shown in Exhibit 6-2-3,
will be to support the ASD(C3I) in fulfilling his responsibilities as the
focal point and to facilitate the sharing of sensitive information within
the Department, among the Federal departments and agencies, and with the
private sector.

- Facilitate sharing of sensitive information (e.g. threats, vulnerabilities,
fixes, tools, techniques) within DoD and among government agencies,
the private sector service providers and professional associations.

Action (ASD(C3I) lead):

-Establish an IW-D planning and coordination center (411+) reporting to
the ASD(C3I) with interfaces to the intelligence community, the Joint
Staff, the law enforcement community, and the operations (911) center

Exhibit 6-2-3. Establish a Center for IW-D Planning and Coordination

One of the first activities of the planning and coordination center should
be to establish a planning framework which can provide for meaningful assessments
of progress in information warfare preparedness. This center will not write
plans for the CINCs, Services, and Defense Agencies, but will identify the
need and means for integrating information warfare considerations into
traditional planning activities.

The center will aid the focal point in assessing the treatment and implications
of information warfare in policy and plans, operations, and the allocation
of resources to information warfare. The center will also analyze and assess
IW-related incident reports generated by the Services and Agencies and forwarded
to the 91l operations center. The assessment will determine patterns of activity
that might indicate the need to revise plans or resource allocations.

Since there is no established method for assessing the dependency of operations
plans and DoD support activities on information and infrastructures, the
center will need to develop the procedures and metrics for such assessments.
The military operations community and the functional support community will
perform the assessments. These infrastructure dependency assessments will
be discussed in more detail later in this report.

Sharing of sensitive information is probably one of the most important first
steps in building a defensive information warfare capability. There are
significant legal, regulatory, competitive and emotional hurdles to overcome;
these must be addressed as soon as possible.

It is not necessary to break the cryptographic protection to attack our
classified computing environments. The protection paradigm used by DoD is
based upon the classification of information. However, most classified computer
systems contain, and often rely on, unclassified information. This unclassified
information often has little or no protection of the data integrity prior
to entry into classified systems. The expected interaction between GCCS and
GTN are examples of this. An increasing number of DoD systems contain decision
aids and other event-driven modules. These should be buffered from unclassified
data whose integrity cannot be verified.

Second-, third-, and "n" -order effects from an information warfare attack
have not been observed and are not well understood. Further, good data are
not available with which to conduct modeling and simulation of such effects.
Data must be collected to support the modeling and simulation of the effects
of specific information warfare attacks and defenses. Detailed data should
be gathered through several means:

Measure the specific local effects of a standard battery of attacks on common
components such as operating systems, firewalls, routers, etc. Experiments
should be conducted using various configurations and settings of the components
and attack variations for as complete a picture as possible.

Measure the effects and possible consequences for a standard battery of attacks
against many common configurations of generic networked systems. The technologies
and configurations selected for these experiments should be common to a large
percentage of the DII and NII, including telecommunications, power, and control
systems. Again the attacks should be carried out in multiple variations against
multiple target system types and configurations, with various types of defenses,
to obtain accurate data on the measurable effects of attacks in all these
circumstances.

Measure the effects and possibly consequences for a battery of attacks, that
could include application-specific attacks, on stereotypical defense systems.
Measure the effects on mission effectiveness.

To achieve the goal of protecting information systems from future IW attacks,
a comprehensive, principled approach for architecture, design, and analysis
of secure, survivable distributed information systems must be developed.
These new principles and approaches should build upon, and be synthesized
from, existing and emerging information system engineering principles based
on work in fault-tolerant systems, trusted systems, and secure distributed
systems. The principles must be promulgated as guidelines so that they will
be widely applied.

There is a need to create a broader theoretical underpinning for understanding,
design, and analysis of the security and survivability of information systems.
Theoretical tools available today usually treat specialized aspects of
information security. Early information-theoretic work in the 1950s and 1960,
work in the 1980s on trapdoor functions, and recent work on Byzantine robust
networks may form some basis for development of a broader theory. New theories
should be developed for robust systems. These theories need to include models
both for attacks on systems and for survivability defense strategies. Robust
system theory should include formal methods that apply to large-scale,
distributed, heterogeneous systems. Analysis techniques should include methods
for predicting and analyzing Red/Blue conflicts by, for example,
extension/application of game theory and other relevant approaches.

Since the cost of highly secure network subsystems will be very high, the
architect should assume that the defense network will traverse commercial
infrastructures, and that the underlying substrate will be inherently insecure.
The network architecture thus must ensure successful transmissions in the
presence of failed, faulty, and spoofed network components. For example,
spatial transmission diversity is an existing proof that reliability can
improve with intelligent use of the network. Since the future global network
will include subnets of varying robustness, it is suggested that a separable
entity be established as an overall net security management system. The overall
network security manager would be responsible for architectural add-ons (such
as wrappers) for each subnet, to provide survivable, secure service over
the entire net of nets.

For survivable systems, security is required at multiple levels, including
applications, middleware, operating systems, and networks. New architectural
approaches must enable the accommodation of legacy and COTS subsystems, perhaps
via wrappers, into an overall adaptive system-of-systems architecture. This
architecture must be designed to reallocate critical tasks dynamically to
subsystems which have survived the attack. The security/survivability management
of the system should be integrated into the overall system management framework,
in terms of both the automated and the human components of the system management
structure.

In order to test the effectiveness of the survivable system architecture,
principles, and theory, it is essential to conduct experiments and
demonstrations. It is recommended that such experiments and system demonstrations
be conducted in existing and emerging system testbeds and networks, building
on both experimental nets and the emerging DII and NII.

There are substantial differences between designing a typical information
system and designing a resilient information infrastructure capable of enduring
in the face of intentional disruptions. Information system design is typically
based on efficiency; a resilient information infrastructure design must be
based, instead, on effectiveness. Control must be decentralized and portions
must operate independently of the infrastructure. For example, fault-tolerant
computing introduces redundancy into otherwise efficient systems in order
to make them more effective, particularly against random disruptions. Similarly,
the design of a resilient infrastructure will ensure diversity of hardware
and software so that a common failure mode will not result in an infrastructure
failure. Investing in a proper design up front saves money in the long run
and negates the very real possibility of introducing vulnerabilities by
attempting to retro-fit security.

The goal is to design for utility, resiliency, repairability, and security,
as shown in Exhibit 6-2-4. Presently, there is no significant body of knowledge
on infrastructure design. It will have to be developed based on the existing
design skills for fault-tolerant computing, resiliency, reliability, and
so on. This body of knowledge will expand through on the results of the research
currently under way and planned for large distributed networks and survivable
systems. This growing body of knowledge will be used to develop and promulgate
policies, architectures, and standards which enhance the utility, resiliency,
repairability and security of the infrastructure. The collection of these
policies, architectures, and standards will constitute the infrastructure
design.

The infrastructure design should be verified independently periodically to
ensure that the design meets the goals of utility, resiliency, repairability,
and security. The Task Force suggests using NSTAC, NCS, and similar resources
to aid in this activity.

The infrastructure design should also be used to verify that goals of utility,
resiliency, repairability, and security are reflected in the specifications
for development of new systems and for purchase of services from the other
government agencies and the private sector.

The Task Force recommends the establishment of a joint architecture/design
office in DISA to develop and promulgate throughout the Department the needed
design policies, architectures, standards, and configuration management process.
This office should include the current architecture and design activities
of DISA, but should also be focused on infrastructure design and the
incorporation of security up front in the architecture and engineering process.
The Task Force also recommends that a process be developed to verify compliance
with the design independently.

6.2.5 Establish a Red Team for Independent Assessments

Red Teaming is an essential component of the IW-D strategy and technology
development process. We recommend that the concept be extended to include
vulnerability analyses as well as carefully planned attacks during experimental
activities in controlled testbeds and during training/planning exercises.
The Red Team exercises should be conducted under proper rules of engagement
to avoid unnecessary damage or disruption to information systems.

Emphasis should be given to developing new attack methodologies in addition
to reusing and applying of current attacker techniques. For example, attacks
should be designed which exploit the system's survivability features. A
sophisticated attacker would probably know about these features. In formulating
these attack strategies, models should first be developed for system
vulnerability and its likely defenses, and these models should be exploited
in the attack strategies. Vulnerability analyses and Red Team attacks should
be conducted at the application and system level, as well as at the subsystem
level, with the goal of uncovering how operations can be perturbed (e.g.,
the planning and execution of an air tasking order or the deployment of sensors
and communication assets), and how supporting communication links, or specific
computers and network nodes, can be compromised.

The need for independent assessments is suggested in the notion that "you
can only expect what you inspect." Many activities throughout the Department
are in the process of forming Red Teams for the purpose of conducting
vulnerability analyses, training, readiness assessments, and so on. The Task
Force endorses these efforts, particularly in light of previous DSB Task
Force recommendations. However, what the current Task Force is recommending
is the "SECDEF/DEPSECDEF's Own" -- a team whose central role is providing
the SECDEF/DEPSECDEF with unbiased assessments on the Department's IW "state
of health."

As shown at the bottom of Exhibit 6-2-5, the Task Force recommends that a
Red Team be established to perform these independent assessments. Two previous
Defense Science Board Studies have made a similar recommendation to establish
such a Red Team. While the Task Force was unable to agree on whether the
new organization should be a standalone organization or housed in an existing
organization, there was unanimity on the fact that the Team will require
significant management attention and, although reporting through the ASD(C3I),
be accountable to the DEPSECDEF for its activities.

Developing and maintaining an independent assessment capability is very important
because of the traditional resistance to self-assessment and potential
embarrassment. However, it is essential that the Department evaluate its
IW preparedness and not wait to learn of any major shortfalls because of
the actions of an adversary. This Red Team should have a small permanent
cadre for management and technical continuity and should be staffed by civilian
personnel and military personnel on a rotating joint duty basis.

The organizational recommendations made by the Task Force are shown graphically
in Exhibit 6-2-6. While it was obvious to the Task Force that similar information
warfare (defense) capabilities and organizations must be established at the
national level, the Task Force decided not to make specific recommendations
about where these organizations should be established or to whom they should
report. Instead, the Task Force recommends this be left to the President's
Commission. However, it should be pointed out that there is a real need for
extensive coordination and information sharing between government (Federal,
state, and local) and the private sector.

Exhibit 6-2-7 also shows the organizational recommendations made by the Task
Force but emphasizes the functional aspects. The defensive information warfare
process, procedures and mechanisms diagram discussed earlier in the report
is shown in the middle of the Exhibit and the process has been divided by
the gray line into preparedness functions and operations functions. The
recommended organizations are arrayed in the Exhibit so as to relate their
functions (shown near the ovals) to the entire defensive information warfare
process.

6.3 INCREASE AWARENESS

An important and cost effective first line of information warfare defense
is a user and operations community that is aware of potential threats and
is well trained in protection, detection, and reaction tactics, techniques
and procedures. A well-trained and educated cadre of security and automated
information system professionals can provide an effective second line of
defense. The Services and Agencies (NSA in particular) have long provided
INFOSEC training. Traditional DoD security awareness and training, however,
has emphasized the security of classified national security information and
information systems processing classified national security information.
DoD components are currently implementing awareness, training, and education
(ATE) programs to focus on new threats to both unclassified and classified
networks. Working groups have been established to help coordinate efforts
between components. There is a need, however, for a DoD-level forum with
the authority to reduce duplication and implement consolidated training
responsibilities. This forum must take advantage of core competencies to
ensure a comprehensive, cost-effective program.

Current modeling and simulation efforts do not adequately address issues
that can be expected to arise in an information warfare attack environment.
For example, little or no consideration is given to the tactical impact of
compromised or exploited computing and networking resources, beyond perhaps
the classical effects of jamming or ESM techniques as applied to the battlefield
communications infrastructure.

A fundamental shortcoming of traditional wargame-oriented simulations is
the failure to predict changes in battlefield behavior resulting from the
dynamic interplay of people with new weapons, sensors, tactics, etc. This
is mainly due to deeply embedded, built-in assumptions of human tactical
behavior. The introduction of a new dimension to the battle-space, namely
that of IW, serves to aggravate the problem. A new generation of simulations
and gaming environments is needed that not only generally minimizes built-in
assumptions on human behavior, but also captures in particular the implications
and impact of sophisticated information warfare types of attacks.

Because of our perceived lead in offensive information warfare capabilities,
not everyone understands the need for defensive information warfare preparations.
The Task Force review of several current Service and joint doctrine documents
indicates that defensive information warfare matters are not adequately
addressed. The Task Force strongly suggests the need to make senior-level
government and industry leaders aware of the vulnerabilities and appreciate
the implications. The recommended actions are shown in Exhibit 6-3.

The awareness campaign should be designed for several purposes. The internal
campaign should make DoD personnel more aware of the threats, vulnerabilities,
and fixes and should also make DoD a better informed customer in the acquisition
of systems, COTS products, and services. The external program should make
DoD suppliers better aware of DoD needs and should make the civil agencies
and the general public understand DoD dependence on infrastructures and the
role of DoD in the information-age "common defense."

IC/IW (Offense) capability breeds complacency

Military doctrine does not adequately address IW vulnerabilities

Need senior-level government and industry appreciation of what's at stake

-Pursue all avenues (briefings, conferences, articles, etc.)

Action:

- Establish an internal and external IW-D awareness campaign for the public,
industry, CINCs, Services and Agencies (ASD(C3I) and Public Affairs)

- Expand the IW Net Assessment recommended by the 1994 Summer Study to include
assessing the vulnerabilities of the DII and NII (USD(P) lead)

- Develop and implement simulations to demonstrate and play IW-D effects
(USD(A&T) lead)

- Implement policy to include IW-D realism in exercises (CJCS lead)

- Conduct IW-D experiments (CJCS lead)

Exhibit 6-3. Increase Awareness

The Task Force recommends that the ongoing IW net assessment recommended
by the 1994 Summer Study be expanded to include an assessment of the
vulnerabilities of the DII and the NII with particular emphasis on those
portions of the NII upon which the Department is especially dependent. A
brief review by the Task Force of selected joint doctrine revealed a heavy
dependence on information and information technology without corresponding
attention to defensive information warfare. Existing doctrine should be reviewed
for needed emphasis. The Department should also explore the possibility of
large-scale demonstrations for the purpose of exploring cascading effects
and for collecting data necessary for simulation of information warfare
activities.

In addition and to the extent possible, information warfare (defense) must
be realistically played in exercises. This will require some concerted management
attention. The Task Force notes that since 1992, DoD policy has called for
military exercises to include realistic information warfare play. To date,
there has been very limited execution of this policy. In those cases where
a realistic IW environment cannot be created, specific experiments should
be developed to assess the effects of information warfare attacks. For example,
policy directing the CINCs to conduct exercises with information warfare
realism has been effect since 1992 and there has been no noticeable efforts
to date to implement the policy. In those cases where such realism is not
possible, specific experiments must be developed to assess the effects of
information warfare attacks.

6.4 ASSESS INFRASTRUCTURE DEPENDENCIES AND VULNERABILITIES

Traditional thinking is that infrastructures, with few exceptions, are stable,
reliable, and always available. The nation's interstate highway system is
a prime example. Consequently, the Departments' operational and functional
planners have not adequately addressed the possibility that key infrastructures
such as telecommunications, electric power, and transportation might not
be available in part to support military operations. The purpose of this
recommendation, as shown in Exhibit 6-4, is to get the operational and functional
planners to begin documenting the extent to which their plans are dependent
on critical infrastructures and what effect infrastructure disruptions might
have on execution of the plans.

The Joint Staff has begun to address the issue by developing a draft Mission
Needs Statement for Infrastructure Assurance Modeling. The MNS approach is
to use modeling and simulation. This is probably the best long-term approach
to understanding infrastructure inter-dependencies, potential cascading effects,
etc.

The Task Force recommends that a separate effort be initiated by the ASD(C3I)
to develop an alternative approach using other analytical techniques that
could be employed in the near term by the operational and functional planners
to assess all critical infrastructure dependencies. Based on these assessments
by the Chairman and the Principal Staff Assistants, the Chairman should develop
the essential infrastructure protection needs and the ASD(C3I) should develop
the resource estimates for the needed protection.

The Task Force recognizes that this will be an enormous task. However, the
complexity and difficulty of the task should not be an impediment to starting
the effort; "the journey of a thousand miles begins with a single step."

6.5 DEFINE THREAT CONDITIONS AND RESPONSES

Exhibit 6-5-1 shows that, as in the traditional operations community, the
IW-D operations community requires an alerting mechanism to heighten awareness
and preparedness as the threat increases. In addition, there should be some
prescribed response by the IW-D operations community to increasing threat
conditions such as minimizing the traffic on the networks, restricting personnel
access to operational facilities, disconnecting certain systems from networks
which are likely targets, and possibly implementing wartime modes of operation.
While the effort is urgently needed, it will be complicated by the extensive
interconnectivity of systems and networks and because some actions will be
required by the private sector, in part, since much of the Defense Information
Infrastructure is embedded in the public switched and data networks.

Conditions and responses required for risk management

- Conditions analogous to DEFCON

- Responses might include

Minimize

Personnel actions

Disconnecting from the "net"

Use of War Mode (WARM) protocols

Defense of the information infrastructure complicated by

-Interconnectivity - heightened state of alert must extend to all connected
systems and networks

Exhibit 6-5-2 is an illustrative cut at what a structured threat condition
and response table might look like. This is not a definitive threat chart.
For example, "normal" is yet to be defined and very damaging attacks can
be postulated that would not cause a noticeable increase in the number of
incidents. Also, it should not be inferred that the Task Force believes an
information warfare attack will necessarily escalate in a linear manner from
level II to level V. An attack could be oriented on a specific critical target
or could immediately threaten multiple centers of gravity within the United
States. The term "special contexts" is an attempt to highlight the potential
linkages between an information warfare attack and other circumstances that
may be present. For example, disruption of the infrastructures supporting
Fort Bragg, North Carolina, would have much greater impact during a deployment
of U.S. forces to a crisis location than it would during normal peace-time
training operations.

CONDITION

SITUATION

REQUIRED RESPONSE

I - Normal

Normal threat-crime/incompetents

Normal activities in all sectors

Normal actions and requirements

II - Pertubation

10% increase in incident reports,
regional or functionally base

15% increase in all incidents

Increase in incident monitoring

Look for patterns across a wide range
of variables

Alert all agencies to increase awareness
activities

Begin selective monitoring of critical
elements

III - Heightened
Defense Posture

20% increase in all incident reports

Condition II with special contexts

Disconnect all unnecessary connections

Turn on real-time audit for critical systems

Begin mandatory reporting to central control

IV - Serious

Major regional of functional events
that seriously undermine U.S. interests

Condition II/III with special contexts

Implement alternate routing

Limit connectivity to minimal states

Begin "aggressive" forensic investigations

V - Brink of War

Widespread incidents that undermine
U. S. ability to function

Condition III/IV with special contexts

Disconnect critical elements from public
infrastructure

Implement WARM protocols

Declare state of emergency

Exhibit 6-5-2. Sample Threat Condition and Response

Deriving a solid set of threat conditions and appropriate responses will
require some serious research. The various levels reflect combinatorial effects
as well. For example, it is possible to move from Condition I to Condition
V without passing through the intervening conditions. Condition II reflects
the notion that an attack may be surgical rather than broad-based.

6.6 ASSESS IW-D READINESS

Information warfare defense should be viewed from a warfighting perspective.
Operational forces should be able to detect, differentiate among, warn of,
respond to, and recover from disruptions of supporting information services.
Recovery from disruptions resulting from failures or attacks might involve
repair, reconstitution, or the employment of reserve assets. In some cases,
network managers may have to isolate portions of the network, including users
of the network, to preclude the spread of disruption. Given the speed with
which disruptions can propagate through networks, these capabilities may
need to be available in automated form within the network itself. Finally,
there must be some means to manage and control these capabilities. At its
heart, this is an operational readiness matter.

A standardized process to enable commanders to assess and report their
operational readiness status as it relates to their specific dependency on
information and information services is an essential element of operational
readiness. A standard vocabulary will enable common description of risk scenarios
and assessment methodologies. (A more complete explanation of the proposed
process is at Appendix C.) The use of a structured assessment and reporting
process will help move information assurance from a global and unsolvable
problem to the identification of discrete information and information service
dependencies that illuminate quantifiable risk to specific information dependent
activities within a commander's sphere of responsibility. A similar assessment
and reporting process can be applied by supporting elements and in the commercial
sector.

Exhibit 6-6 shows that information warfare (defense) must be mainstreamed
as a readiness issue. A means must be developed for including information
warfare (defense) issues in readiness reporting and a process must be developed
to assess the information warfare (defense) readiness posture independently.
The assessment scenarios differ from the threat conditions discussed earlier
in that the assessment scenarios are used to assess readiness against a wide
range of possible threats to specific units, missions, and functions, while
the threat conditions are used to describe the existing threat condition
to the broad interconnected population. The assessment scenarios are applied
locally, while the threat conditions are applied globally. Standardized
assessment scenarios could be used for planning considerations, in warning
orders, and so on. The assessment regime provides a means for addressing
variability and should be used in concept and operations planning.

The Task Force recommends that the Chairman of the Joint Chiefs of Staff
incorporate information warfare preparedness assessments in the Joint Reporting
System and into Joint Doctrine. The systems, reports and publications cited
are only examples that the Task Force reviewed to illustrate how these
assessments might be incorporated. Additional details will be provided in
the written report.

6.7 "RAISE THE BAR" WITH HIGH-PAYOFF, LOW-COST ITEMS

There are a number of things the Department can undertake, as shown in Exhibit
6-7, that are relatively low cost, but that will raise the bar significantly
for potential system and network intruders. Training and awareness have already
been emphasized. The two specific examples are cited to illustrate the fact
that there is existing Executive Branch policy regarding this matter and
that the use of banners to alert users is a good way to increase awareness.
Certification by users of banner understanding is another technique to emphasize
the importance. One of the Task Force members cited as an example the procedure
used in his company. On a periodic basis, users of the network are presented
with a security awareness quiz. If the questions are not answered correctly
after three tries, the user must have the systems administrator provide access
to the system or network.

Training and awareness

- Enforce provisions of Appendix 3, OMB Policy A-130

- Use banners

Improve security of DoD's unclassified computers

- Access control (get rid of fixed passwords!)

- Identification and authentication

- Much more effective than encryption in "raising the bar"

Promote use of government approved commercial security technologies

- Support JWCA Phase 5 plan of action

Action (ASD(C3I) lead:

- Direct the immediate use of approved products for access control

As an interim until a MISSI solution is implemented

For those users not programmed to receive MISSI products

- Examine feasibility of using approved products for identification and
authentication

- Require use of escrowed encryption for critical assets

Preclude rogue employee from locking up systems and networks

Data bases, program libraries, applications, transaction logs

Exhibit 6-7. "Raise the Bar" With High-Payoff, Low-Cost Items

One of the most important acts is to improve the security of DoD's unclassified
computers by instituting dynamic access control and authentication of users.
Until this is done, the Department has little assurance that it has any control
over these systems. many of which are essential to critical support functions.
The Department should also promote the use of existing commercial and government
security technologies.

The Task Force recommends the immediate use of commercial access control
technologies for this purpose. These technologies can be used as an interim
solution for MISSI and as a solution for those users not programmed to receive
MISSI. The Department should also explore the feasibility of using approved
commercial products for identification and authentication and continue its
plans for the use of escrowed encryption, particularly for the protection
of critical assets.

The current information infrastructure which supports telecommunications,
power, transportation, etc., is susceptible to IW attacks, and in particular
to wide-scale coordinated attacks aimed at disabling or disrupting government
as well as commercial systems. A strategy and overall architecture concept
must be developed for a minimum essential information infrastructure (MEII).
This minimum infrastructure can serve as a means for restoring services and
adapting to wide-scale outages. Milstar should be investigated as a means
for determining available connectivity and providing modest but critical
packet data service for exchange of routing, node status, and other essential
network management information. In this role, Milstar would be supplemented
with available commercial resources as possible and as needed.

The concept should consider the applications and deployment of secure gateways
connected to Milstar ground station equipment and reallocated Milstar assets
as a hardcore network for use in restoring critical connectivity. The
authentication of commercial wireline and wireless network access through
the gateway to the hardcore network is a critical issue, and must be addressed.

In addition to an overall MEII architectural concept, minimum essential services,
an operational concept, and a management structure must be developed. A strategy
must be developed for transitioning from peacetime or normal operational
activities to the minimum essential information infrastructure. It will be
important to execute the transition strategy in the context of exercises.

The minimum essential information infrastructure capability shown in Exhibit
6-8 could serve the Department for critical missions and functions and could
serve the nation for other national security-related functions. The 1995
DSB Summer Study titled Investments for Century Military Superiority
recommended a minimum essential C3 capability. Included are the specific
recommendations leading to that capability.

Current NII/DII is vulnerable

- Not designed for resiliency or repair

- Cannot fully depend on public switched network

Need

-Failsoft infrastructure to support critical functions while under attack

-Failsafe minimum infrastructure

- Failsafe capability to manage restoration independent of the public
switched network

6.9 FOCUS THE R&D

New information security products from biometric personnel identification
devices to advanced firewalls are being introduced every day into the commercial
marketplace. Many of the products are either focused on protecting against
network-based intrusions or are attempting to enable some form of electronic
commerce. However, these products often do not scale well in large distributed
environments, are too expensive, and are too difficult to configure.

The Department of Defense should monitor the progress in commercial information
technology and take care not to duplicate or reinvent the progress being
driven by market forces. However, the commercial market will not provide
the Department the necessary tools and techniques to rapidly and securely
assemble and protect a robust, resilient, deployable information system to
support a Joint Task Force or coalition operations. The Bosnia C2 Augmentation
initiative is an example of the challenge.

As cost-affordable technologies are developed, they should be given early
tests in the Joint C4ISR Battle Center Environment.

The Task Force is aware of several of the ongoing information system security
initiatives under way in DARPA and has read the descriptions of other IW-D
R&D efforts in the Joint Warfighting Science and Technology Plan and
in the Defense Technology Objectives of the Joint Warfighting Science and
Technology and Defense Technology Area Plan (both of May 1996). However,
the Task Force suggests a tighter, more integrated focus on support to U.S.
defense activities in the areas outlined in Exhibit 6-9. In addition, Task
Force did initially consider a much broader and more comprehensive list of
R&D initiatives required for information warfare defense. Because of
the potential contribution of commercial activities to some of the Department's
requirements, the Task Force recommends the Department should focus its R&D
on those aspects of information protection and assurance not likely to be
addressed by the private sector. Several Task Force members stressed that
the R&D program must emphasize cost and operational realism. For example,
it would be helpful if the primary design criteria included per-seat costs
for installation, training, and support.

Current security products are not designed to protect large distributed
environments

Must devote attention to verifying security configuration of a rapidly
assembled system for Joint Task Force or coalition environments

Educational programs for curriculum development at the undergraduate
and graduate levels in resilient system design practices

Exhibit 6-9. Focus the R&D

The development of robust survivable systems resistant to information warfare
attack, as well as other types of failure, must involve major advances in
technology and will require the efforts of a vigorous research community
embracing academia, industry, and government. Prior R&D efforts have
focused on areas such as computer and network security, encryption technology,
and single node failures. Little attention has been paid to surviving willful
malicious attack, or detecting and eliminating corrupt software.

The area of robust survivable systems offers an opportunity for a unifying
theme to develop a broad-based research effort covering the full range of
6.1, 6.2, and 6.3 research to overcome the current lack of significant new
ideas and problem solutions. Particular emphasis should be given to the following
areas:

Designing a system such that no one event/attack will lead to process failure

Design methods for work processes and software that enable the monitoring
of functional activities, provide for the graceful degradation of functional
activities, and ease the rapid restoration of functions.

As indicated in the previous exhibit, specific attention should be paid to
verifying the configuration of a rapidly assembled system for use in Joint
Task Force or coalition environments. This should include positive identification
of system components with passive identification of users, in both the static
and mobile environments.

Regarding test beds and simulation-based mechanisms, it will be important
to:

Verify whatever security claims are made for a product

Understand and model cascading events from an information warfare event

In addition to the above, the R&D community should also consider establishing
a focused effort on the theory, science and analysis of high assurance, massively
distributed systems to include:

Developing rigorous mathematical approaches and principles for complex system
analysis and synthesis. The DARPA BAA 96-40, Survivability of Large Scale
Information Systems, 28 August 1996, provides a good start.

Finally, the Department should work with (and even possibly provide seed
money to) the National Science Foundation to establish research and education
programs for resilient system design in the universities and colleges.

6.10 STAFF FOR SUCCESS

IW vulnerability is often due to human error, insufficient training, or lack
of knowledge of or failure to follow procedures or adhere to policy. This
vulnerability represents a gap which cannot be closed with technology alone.
Currently, capabilities of system and network administrators and system managers
vary widely. This is partially due to a lack of appropriate training, and
partially due to the difficulty in use of existing security products and
in obtaining information on how to configure a system securely.

A cadre of high-quality, trained professionals with recognized career paths
is an essential ingredient for defending present and future information systems.
It is recommended that research be conducted towards the development of
techniques, curricula, tools, and technology specifically for security-focused
training for system and network administrators. Developing partnerships with
universities, colleges, existing DoD professional development programs, and
vocational schools for the purpose of curriculum development will be an essential
ingredient of this process. It will also be important to capitalize on emerging
distributed interactive simulation technology to provide a realistic, dynamic,
operations center-like training environment indicative of a real-world IW
combat setting.

The Task Force acknowledges that there are a number of studies and initiatives
under way in the area of information warfare (defense) training. Included
in these is a recent NSTISSC review of training which recommended the development
of a database of all available INFOSEC training courses. NSTISSC has also
developed training standards for Systems Administrators, Information System
Security officers, and Designated Accreditation Authorities. However, efforts
throughout the Department do not appear to be well coordinated and there
does not appear to be a concerted effort to train systems and network
coordinators properly.

As shown in Exhibit 6-10, the Task Force recommends establishment of a skill
specialty for military personnel to enable the formation of a cadre of
knowledgeable and experienced defensive information warfare specialists.
The skill specialty is recommended instead of a career path to ensure that
operational experience is reflected in the performance of the information
warfare (defense) duties and to preclude the possible formation of a closed
community of experts.

Systems/network administrators are the first line of defense

- Need a professional cadre - not "other duties as assigned"

- Keep the defenses in good order

- Serve as the "picket line" to sound the warning

Need IW-D skills and awareness in all functional areas

Action:

-Establish a career path and mandate training and certification of systems
and network administrators (USD(P&R) lead)

6.11 RESOLVE THE LEGAL ISSUES

Legal issues can be a distraction from moving on with what can be done. As
shown in Exhibit 6-11, the Task Force found some confusion among the Department's
representatives regarding the scope of their authority to monitor systems
and networks for the purpose of assessing the security of the systems and
networks. As discussed earlier, the advent of distributed computing has and
will continue to blur the boundaries of the systems and networks that DoD
uses. Confusion also stems from uncertainty over when or whether a wiretap
approval is needed. All DoD system and network administrators should assume
that any intrusion is a hostile intrusion and take action to minimize the
effects of the intrusion and report the intrusion for purposes of tactical
warning and to obtain necessary protective support, including law enforcement.

Issues:

-Defending DoD systems

DoD has needed authority, but rules must be clarified

-Defending other government and civil systems

Need government-wide guidance (perhaps legislation)

Areas to examine include:

- DoD assistance to the private sector (e.g. Computer
Security Act)

- Attacker of unknown nationality (intelligence versus
U.S. persons)

- Tracking attackers through multiple systems

- Obtaining/requiring reports from the private sector
owners and
operators of critical infrastructures

Action (General Counsel lead):

-For DoD systems, promulgate:

Guidance and unequivocal authority for DoD users to monitor, record
data, and repel intruders in computer systems for self protection

Banners that make it clear the DoD's presumption that intruders have
hostile intent and warn that DoD will take the appropriate response

IW-D rules of engagement for self-protection (including active response)
and civil infrastructure support

- Provide to the Presidential Commission on Critical Infrastructure
Protection proposed legislation, regulation, or executive orders for
defending other systems.

Exhibit 6-11. Resolve the Legal Issues

To lessen the confusion, the SECDEF/DEPSECDEF should direct the General Counsel
to explore this matter and issue rules of engagement regarding appropriate
defensive actions that may be taken upon detection of intrusions into and
attacks against DoD systems and networks. This should include promulgating
clear guidance regarding monitoring of systems under DoD control and the
use of warning banners on these systems.

The SECDEF/DEPSECDEF should also task the General Counsel to propose legislation.
regulation, or executive orders as may be needed to make clear the DoD role
in defending non-DoD systems. This should specifically address the need for
changes to the Computer Security Act, the capture of information on unidentified
intruders (issue of intelligence collection on U.S. persons), the authority
to conduct "hot pursuit" of intruders, and the ability to obtain reports
from the operators of critical elements of the civil infrastructure.

The findings and recommendations developed by the General Counsel should
be provided to the President's Commission to aid in their deliberation of
the legislative and policy initiatives required for the protection of the
critical infrastructures.

6.12 PARTICIPATE FULLY IN CRITICAL INFRASTRUCTURE PROTECTION

Exhibits 6-12-l through 6-12-4 indicate the Task Force recommendations regarding
what DoD should offer to, advocate to, request from, and suggest to the
President's Commission. Exhibit 6-12-1 suggests what capabilities DoD might
offer to the Commission and the nation in support of critical infrastructure
protection. The Department should think through and propose to the Commission
appropriate national defense response and retaliation capabilities in the
event of an information warfare attack on the critical civil infrastructures,
understanding that Defense is not the sole element in responding to threats
to the national security.

Exhibit 6-12-2 suggests what DoD interests should be advocated before the
Commission. The information-age war powers for the President are suggested
in light of the outdated nature of Section 706 of the Communications Act
of 1934. This Act is the basis for Federal intervention in assuring the operation
of the telecommunications infrastructure. Critical infrastructure assurance
goals can be articulated in a general fashion, but should be eventually based
on the infrastructure dependency assessments discussed earlier in the report.

Action: Advocate DoD interests to the President's Commission

(USD(P) and ASD(C3I)):

- Continued clarity of responsibilities of the Commander-in-Chief and SECDEF
in any policy proposed by the President's Commission

- Information-age war powers for the President (draft necessary legislation)

In addition, there are many international aspects of information warfare
that must be addressed as the U.S. formulates a defensive information warfare
strategy that will guide DoD operations. For example:

What international regimes currently address defensive information warfare,
and, if none, what regimes should be created to address defensive information
warfare?

What agreements must be in place to effectively deal with the threat if
protect/detect/react capabilities require such activities as countermeasures,
tunneling through other nation's infrastructures, active monitoring, etc.?

What information warfare actions constitute an act of war?

How should IW-D concerns be addressed by country teams, defense attaches,
and other diplomats. What effect does status of forces agreements have on
IW-D strategies?

Will the U.S. share IW-D technology (similar to President Reagan's proposal
of shared SDI)?

Will there be vilification of certain types of IW attacks (i.e., against
health systems)?

What are the critical interdependencies with other nations infrastructures
(i.e., European financial systems)?

Is it possible to coordinate crisis management for information systems of
global importance?

Exhibit 6-12-3 shows what DoD needs from the President's Commission.

Action: Request the President's Commission provide DoD

(USD(P) and ASD(C3I)):

- Essential critical infrastructure protection

- A national-level IW-D structure to include organization and procedures
for:

- Authority for DoD, law enforcement, and intelligence agencies to conduct
efficient coordinated monitoring of attacks on the critical civilian information
infrastructure (without knowing the nationality or location of attackers)
(previously discussed under "Resolve the legal issues")

- Procedures for DoD to provide assistance to elements of the critical
civilian information infrastructure when these elements are attacked
(previously discussed under "Resolve the legal issues")

Recognizing the difficulty of defining an appropriate role for the government
and the private sector in critical infrastructure protection, the Task Force
offers these suggested roles which DoD could provide to the Commission. These
suggestions are based on input to and deliberations by the Task Force and
individual panels of the Task Force. Exhibit 6-12-4 suggests such roles.

Action: Suggest IW-D roles for government and the private sector to the
President's Commission (USD(P) and ASD(C3I)):

The NSTAC model shown in Exhibit 6-12-6 could serve as a model for refining
the roles of government and industry as suggested here. Sensitive information
includes threats, vulnerabilities. intrusions and other incidents. fixes
to vulnerabilities. etc.

Exhibit 6-12-6 suggests a model as a starting point for refining the government
and private sector roles.

This exhibit provides another view of how the government and private-sector
roles might be defined. It also provides the Task Force view of how target
protection responsibilities might be assigned. The exhibit is not intended
to be authoritative, but to provide a construct for discussion of the roles
of the government and the private sector.

Some areas are exclusively the responsibility of the owner, while others
are exclusively the responsibility of government. It is in the areas of shared
responsibility between the owner and the government where much work must
be done to define levels of responsibility.

6.13 PROVIDE THE RESOURCES

Resources must be provided if a viable defensive information warfare capability
is to be achieved. The need has been recognized in part since an INFOSEC
special budget issue has been submitted each of the past 3 years. The Task
Force has developed a rough estimate of the resources required to get started.
The Department must make a detailed estimate. The resource estimates are
for resources in addition to those reflected in the proposed FY 97 budget,
so some reprogramming actions will be required for FY 97.

The Task Force recommends that the ASD(C3I) develop a detailed plan of action
to implement the recommendations and a detailed estimate of the resource
required.

Exhibit 6-13-2 shows the estimated resources to implement the key
recommendations. These are the very rough estimated resources to implement
the key recommendations. The Task Force reviewed all of the individual
recommendations categorized under the key recommendations and estimated to
$5 million granularity what the implementation costs might be. The figures
are the totals of the individual recommendations for each key recommendation.
These resources are in addition to the current Information Systems Security
Program and other distributed information security costs which in the aggregate
total about $1.6 billion annually. The Department should perform a more detailed
cost estimate.

SUMMARY

In summary, the Department must tie several factors together, as shown in
Exhibit 7-1.

And the Department must start immediately, as shown in Exhibit 7-2. Although
all the recommendations are important, the check marks [+] indicate where
the Task Force believes immediate action will jump-start the process of getting
a handle on this challenge. Again, as pointed out earlier, the DSB has called
for action on these matters in each of the past 3 years.

+1. Designate an accountable IW focal point

2. Organize for IW-D

3. Increase awareness

4. Assess infrastructure dependencies and vulnerabilities

5. Define threat conditions and responses

+ 6. Assess IW-D readiness

+7. "Raise the bar" (with high-payoff, low-cost items)

+ 8. Establish a minimum essential information infrastructure

9. Focus the R&D

10. Staff for success

11. Resolve the legal issues

12. Participate fully in critical infrastructure protection

+ 13. Provide the resources

Do it now!

(DSB has been saying this for 3 years.)

Exhibit 7-2. And Start Immediately!

APPENDICES

Appendices are provided as background and resource information. They do
not represent a consensus view of the Task Force and recommendations
contained in the Appendices are not Task Force recommendations to
the Department. Some of the appendices were used in part as input to
the main body of this report. Other appendices are provided because they
contain useful information for further discussion of matters addressed in
the main body of the report.